APPROVED by
Order of General Director of OJSC MZKT
dated 13.04.2022 No. 185
(as amended by Order of General Director of OJSC MZKT
dated 05.05.2023 No. 228)
PERSONAL DATA
PROCESSING POLICY OF OJSC MZKT
CHAPTER 1
GENERAL PROVISIONS
1.1. Open Joint Stock Company Minsk Wheel Tractor Plant (OJSC MZKT) is the operator which, whether independently or jointly with other persons, arranges and/or carries our processing of personal data (the “Operator”).
1.2. The Personal Data Processing Policy of the Operator (the “Policy”) determines the principal approaches of the Operator to processing of personal data, their protection and exercise of the rights and freedoms of personal data subjects.
1.3. In processing personal data, the Operator shall ensure security and confidentiality of the processed personal data by taking legal, organizational and technical measures aimed at the elimination of any unlawful disclosure of, access to, deletion of, modification or copying of and any other unlawful actions in relation to such information.
1.4. The requirements of the Policy and of local legal acts (the “LLA”) of the Operator developed on the basis of the Policy shall apply to all the business processes of the Operator, as well as to other processes that, by virtue of legislation, involve processing of personal data, and shall be mandatory for all the employees of the Operator having access to personal data.
1.5. The Policy was developed in compliance with:
the Constitution of the Republic of Belarus;
Law of the Republic of Belarus dated 07.05.2021 No. 99-3 Concerning Protection of Personal Data (the “Law No. 99-3”);
Law of the Republic of Belarus dated 10.11.2008 No. 455-3 Concerning Information, Informatization and Protection of Information;
Decree of President of the Republic of Belarus dated 28.10.2021 No. 422 Concerning Measures to Improve Personal data Protection;
Order of the Executive Analytical Center of President of the Republic of Belarus dated 20.02.2020 No. 66 Concerning Measures to Implement Decree of President of the Republic of Belarus dated December 9, 2019, No. 449;
other regulatory legal acts relating to personal data processing.
1.6. If an international treaty of the Republic of Belarus should establish rules differing from those provided for by Law 99-3, the Operator shall apply rules of the international treaty.
CHAPTER 2
KEY TERMS AND THEIR DEFINITIONS
The LLA of the Operator regulating the issues of processing and protection of personal data use the following terms and their definitions:
biometric personal data – information characterizing physiological and biological features of a person and used for unambiguous identification of the person (finger and palm prints, irises, features and images of the face and others);
personal data blocking – termination of access to personal data without deleting them;
genetic personal data – information related to inherited or acquired genetic characteristics of a person which contains unique data on the person’s physiology or health, and may be detected, in particular, during a study of a biological sample of that person;
anonymization of personal data – actions resulting in the impossibility to attribute, without additional information, personal data to specific personal data subject;
processing of personal data – any action (operation) or a set of actions (operations) performed on personal data including collection, systematization, storing, refinement (updating), alteration, use, anonymization, blocking, distribution, provision and deletion of personal data;
publicly available personal data – personal data disclosed by the personal data subject itself, or with its consent, or distributed in accordance with requirements of legal acts;
operator – a government agency, a legal entity of the Republic of Belarus, other organization or a physical person, including individual entrepreneurs (hereinafter unless otherwise is defined this latter being a physical person) that arrange and/or carry out processing of personal data either individually or jointly with other stated persons;
personal data – any information relating to an identified physical person or an identifiable physical person;
provision of personal data – actions aimed at making personal data of a certain person or a group of persons available;
distribution of personal data – actions aimed at making personal data of a group of unspecified persons available;
special personal data – personal data related to the racial origin or national affiliation, political views, membership in professional unions, religious and other beliefs, health or sexual life, administrative or criminal prosecution record, as well as biometric and genetic personal data;
personal data subject – a physical person being the subject of personal data processing;
trans-border transfer of personal data – transfer of personal data to a foreign state;
deletion of personal data – actions resulting in the impossibility to restore personal data kept within information resources (systems) that contain personal data and/or resulting in the destruction of the physical personal data media;
authorized agency – a government agency, a legal entity of the Republic of Belarus, other organization or a physical person which, in accordance with a legal act or a resolution of a government agency being the operator, or on the basis of a contract concluded with the operator, carries out processing of personal data in the name of the operator or on its behalf;
identifiable physical person – a physical person that may be directly or indirectly identified by, among other things, family name, given name, patronymic name, date of birth, identification number or by one or more attributes characteristic to the person’s physical, psychological, mental, economic, cultural or social identity;
information – knowledge (messages, data) regardless of of its form and presentation;
automatic personal data processing – processing of personal data with the use of computing facilities;
counteragent – a physical person or a legal entity including individual entrepreneurs acting as a party in an arrangement by way of concluding a civil contract;
confidentiality of information – the requirement to prevent any disclosure and/or provision of information without the consent of its owner or in the absence of a different basis provided for by legal acts;
physical media of personal data:
paper medium – a physical medium of information which permits reading of the information contained in it without the use of computing equipment;
fixed data medium – a data medium which is built into the body of a computing facility (CF) and used to record, store and process information (built-in hard drives and other devices);
removable data medium (RDM) – a machine-readable carrier of information used to record, store and process information (flash drives, external hard drives, CD disks and other devices);
technical means: computing facilities, office automation equipment, network equipment and multimedia hardware.
CHAPTER 3
GOALS AND LEGAL BASIS FOR PERSONAL DATA PROCESSING
3.1. The goals of personal data processing by the Operator shall be based on business processes of the Operator and the requirements of the legislation.
Goals of personal data processing of personal data subjects are:
carrying out business activities;
carrying out financial activities;
exercise of rights and lawful interests of the Operator as part of carrying out business activities provided for by the Statute of the Operator;
preparation, conclusion and performance of civil contracts;
pre-judicial and court activities including collection of debt;
maintenance of access and site security regime;
trans-border transfer of personal data;
arrangement of business trips of employees of the Operator, including trips abroad;
maintenance of occupational safety and control of labor protection;
provision of necessary cadre of managers, specialists and workers for the Operator;
management of labor relationships;
maintenance of military registration and records;
formalization and issue of personal records;
provision of employees of the Operator, including former employees and their family members, additional guarantees and compensations in accordance with collective employment agreement;
carrying out administrative procedures;
processing of submissions and statements;
organization of ideology and information-related processes within the collective;
organization of recreation, cultural and sports events;
management of interactions with youth organizations;
other goals provided for by the laws.
3.2. The formulation of the goals of personal data processing with the aim of refinement of their nature shall be carried out using personal data processing registers developed by subsidiaries and divisions of the 1st level of management of the Operator.
3.3. Legal basis for personal data processing are:
3.3.1. consent of the personal data subject which shall be free, explicit and informed;
3.3.2. receipt of personal data based on a contract concluded (to be concluded) with the personal data subject for the purpose of carrying out actions prescribed by that contract;
3.3.3. without consent of the personal data subject:
when formalizing employment relationships, as well as in the course of labor/employment activities of the personal data subject – in event provided for by the laws;
when processing personal data in the event that they are stated in a document addressed to the Operator and in compliance with with the content of the document;
when processing previously distributed personal data prior to the moment of their recall by the personal data subject;
in accordance with Articles 6 and 8 of the Law No. 99-3 and other legal acts.
CHAPTER 4
CATEGORIES OF PERSONAL DATA SUBJECTS. THE LIST OF PROCESSED PERSONAL DATA
4.1. Categories of personal data subjects whose personal data shall be subjected to processing.
The Operator may process personal data of the following categories of personal data subjects:
employees and former employees of the Operator;
parents, legal guardians, trustees, spouses and children of employees of the Operator;
applicants (office-seekers) – for the purpose of employment at the Operator;
counteragents of the Operator being physical persons (individual entrepreneurs);
representatives of counteragents of the Operator being legal entities;
contractors of the Operator being physical persons (individual entrepreneurs), as well as representatives of such counteragents being legal entities;
affiliates of the Operator;
claimants being physical persons, as well as physical persons representing claimants being legal entities addressing the Operator with a request or a submission or posting a message, request or a comment on websites of the Operator;
visitors being physical persons present at premises of the the Operator as part of a business trip or a business visit including those coming from abroad;
other categories of personal data subjects whose personal data must be processed by the Operator in order to achieve the goals provided for by the business processes and the laws.
4.2. The list (content and scope) of personal data of each category of subjects shall be determined based on the necessity to achieve specific goals of their personal data processing, as well as the necessity for the Operator to exercise its rights and obligations and the rights and obligations of the respective subject.
Personal data shall be processed by the Operator shall include the following:
family name, given name, patronymic name;
date of birth;
place of birth;
citizenship;
passport Information or information stated in other document of identification (series and number, date of issue, name of the issuing authority, identification number, period of validity etc.);
photograph;
contact information including business and home and/or mobile telephone numbers, electronic mail address etc.);
gender;
address of the place of registration;
address of actual residence;
information on the profession, specialization and qualification level;
information on social benefits and payments;
information on marital partnership status and family composition including family names, given names and patronymic names of members of the family and their dates of birth;
information on the state of health in cases provided for by the laws;
information on education, further training and professional development, academic degree and academic rank;
information on employment including duration of service and employment history stating the position, division, information on the employer etc.);
citation and reward record;
number and series of the state social insurance certificate;
information on marriage registration;
information on military registration;
information on maintenance deductions;
information on administrative or criminal prosecution;
other information provided by employees in compliance with the requirements of the legislation of the Republic of Belarus (or) those required to execute mutual rights and perform obligations.
4.3. Categories of personal data subjects and lists (content and scope) of the processed personal data in accordance with the specific objectives of their processing shall be listed in their entirety in personal data processing registers as approved by heads of subsidiaries and divisions of the 1st level of management.
CHAPTER 5
THE PROCEDURE OF PERSONAL DATA PROCESSING
5.1. Processing of personal data by the Operator shall include any action or set of actions carried out on personal data including collection, systematization, storage, alteration, use, anonymization, blocking, distribution, provision and deletion of personal data, as well as other actions in compliance with the laws.
5.2. Sources of personal data:
receipt of information containing personal data in oral, written or electronic form directly from personal data subjects;
receipt of information containing personal data from original copies of documents provided by personal data subjects;
receipt of personal data in response to inquiries forwarded by the Operator to government agencies and other public authorities, commercial and nonprofit organizations and to physical persons in cases and in the manner provided for by the laws;
receipt of personal data from publicly available sources.
5.3. The basis for processing of personal data is the consent of the personal data subject with the exception of cases established by the Law 99-3 and other legal acts.
5.4. Processing of personal data in the name of the Operator or on its behalf may be carried out by authorized persons based on a contract concluded between the Operator and the authorized person in accordance with the laws.
5.5. Types of processing of personal data by the Operator:
non-automated processing of personal data;
automated processing of personal data involving transmission of the resulting information via telecommunication networks or without such transmission;
combined processing of personal data.
5.6. The Operator shall transfer personal data:
to the personal data subject when the data relate to that subject – without limitations, with the exception of cases explicitly provided for by the requirements of the laws;
to third persons – in cases provided for by the requirements of the laws.
5.7. Personal data shall be stored on the following physical media:
paper media;
fixed data media;
removable data media;
technical means: computing facilities, office automation equipment, network equipment and multimedia hardware.
Storage of personal data is carried out in the manner permitting to identify the personal data subject.
5.8. Term of retention of documents containing personal data shall be determined annually by the nomenclature of files of the Operator that shall include files on paper media, electronic files, and combined files (both on paper and electronic media). The file nomenclature and the procedure of compiling of the files shall be in accordance with the requirements of the Guidelines on Record Management in Government Agencies and Other Organizations as approved by the Order of the Ministry of Justice of the Republic of Belarus dated 19.01.20223 No. 4.
Terms of retention of the documents comprising the nomenclature shall be determined in accordance with the List of Standard Documents of the National Archives of the Republic of Belarus generated in the course of activities of government agencies and other organizations and individual entrepreneurs, and shall state period of retention, as approved by the Order of the Ministry of Justice of the Republic of Belarus dated 24.05.2012 No. 140.
Terms of retention of documents not included in the lists of documents requiring stated periods of retention shall be determined by the Expert Committee of the Operator in accordance with the requirements of the mentioned Guidelines.
5.9. Processing of personal data may be terminated for the following reasons: achievement of the goals of personal data processing, expiration of the retention period of documents containing personal data, recall by the personal data subject of its consent for personal data processing, as well as discovery of unlawful personal data processing.
CHAPTER 6
RIGHTS OF PERSONAL DATA SUBJECTS
6.1. In compliance with Articles 10 to 13 of the Law No. 99-3, a personal data subject shall have the following rights:
- recall its consent for personal data processing;
- require information relating to processing of its personal data;
- require the Operator to amend its personal data in the event that the personal data are incomplete, obsolete or inaccurate;
- require from the Operator information on the provision of its personal data provided to third persons (free of charge once annually) unless otherwise provided for by the laws;
- require the Operator (free of charge) to cease processing of its personal data including their deletion in the event there are no basis for processing of personal data provided for by the laws.
6.2. To exercise the rights listed in clause 6.1 of this Chapter, personal data subject shall submit to the Operator a request in written or in the form of an electronic document. Legal acts may provide for the obligation of the personal data subject to attend in person and to provide an identification document when submitting the request to the Operator in written.
The request of the personal data subject shall contain the following:
- family name, given name, patronymic name (if any) of the personal data subject, the address of its place of residence (temporary residence);
- the date of birth of the personal data subject;
- identification number of the personal data subject or, in the absence of such a number, the number of the document of identification of the personal data subject – in the event that this information was stated by the personal data subject when giving its consent to the Operator or when personal data is processed without consent of the personal data subject;
- the subject of the request of the personal data subject;
- personal signature or digital signature of the personal data subject.
6.3. The exercise by personal data subjects of the rights stated in clause 6.1 of this Chapter may be limited in cases stated in Articles 10 to 13 of the Law No. 99-3, and the personal data subject shall be informed to that effect in reply to its request.
6.4. The procedure of submitting requests by personal data subjects to the Operator and of processing of the requests by the Operator.
A written request by the personal data subject signed with its personal signature shall be forwarded to the address of: Open Joint Stock Company Minsk Wheel Tractor Plant (OJSC MZKT), Partizansky Ave., 1650, 220021, Minsk.
The personal data subject’s request having the form of an electronic document and signed using an electronic signature shall be forwarded to one of the following e-mail addresses of the Operator: link@mzkt.by or www.mzkt.by.
All the received requests of personal data subjects shall be registered on the date of their receipt by the Secretary of the Office of Deputy General Director of the Operator responsible for matters related to personal data protection.
Written requests of personal data subjects being employees of the Operator may be forwarded to the Secretary for registration via heads of subsidiaries and divisions of the 1st level of management of the Operator.
The registered requests shall be put for review by the mentioned Deputy General Director who shall manage their further processing.
Replies to requests shall be forwarded to the personal data subject in the form corresponding to the form of the submitted request unless the requests states otherwise.
6.5. Assistance in the exercise of rights of personal data subjects may be sought in the Bureau of Personal Data Protection of the Operator which is responsible for internal compliance control of processing of personal data. Contact telephone number: 8 (017) 330 18 81.
6.6. Personal data subject may appeal against any actions (failure to act) and decisions of the Operator that violate the rights of the personal data subject related to processing of personal data to National Personal Data Protection Center in the manner prescribed by the Law of the Republic of Belarus dated 18.07.2011 No. 300-3 Concerning Appeals of Citizens and Legal Entities. The resolution adopted by National Personal Data Protection Center may be contested by the personal data subject in court in the manner provided for by the laws.
CHAPTER 7
TRANS-BORDER TRANSFER OF PERSONAL DATA
7.1. In the course of its activities, the Operator may carry out trans-border transfer of personal data.
Prior to the commencement of trans-border transfer of personal data, the Operator shall ensure that the foreign state to which the personal data are expected to be transmitted makes arrangements for reliable protection of the rights of personal data subjects.
Trans-border transfer of personal data to foreign states that does not comply with the above requirement may only be carried out in the cased provided for by:
7.2. clause 1 of Article 9 of the Law No. 99 – З:
the personal data subject has given its consent provided that the personal data subject was informed on the risks associated with lack of relevant personal data protection;
the personal data were received as part of a contract concluded (to be concluded) with the personal data subject for the purpose of carrying out actions prescribed by that contract;
the relevant permission was granted by National Personal Data Protection Center;
7.3. by sub-clause 1.1 of clause 1 of Order of National Personal Data Protection Center of the Republic of Belarus dated November 15, 2021 No. 14 Concerning Trans-Border Transfer of Personal Data:
when information on activities of government agencies, public organizations, as well as business entities in relation to which the Republic of Belarus or its administrative and territorial unit may have control made by these business entities through the ownership of shares, is placed in the global computer network Internet;
in cases when processing of personal data is necessary for the performance of duties (authorities) provided for by the laws.
CHAPTER 8
FINAL PROVISIONS
This Policy shall be publicly available.
Public availability of the Policy shall be ensured by way of publishing it at the public website of the Operator (www.mzkt.by), as well as at the intranet website (volat.by).
The Operator shall have the right to amend the Policy.