Khomichuk Pavel Pavlovich

Phone: +375 1642 7 15 07

225861, Republic of Belarus,
Brest region, Kobrin district, Khidrinsky village council, 22/5

Republic of Belarus
, Brest region, Kobrin district, village Peski-2

Resource number - 213637
Registration date - 03/13/2026
Resource address - brest-kolos.com
Resource address - brest-kolos.by
Resource owner - Municipal Unitary Enterprise "Children's Rehabilitation and Health Center "Kolos"

Head of Sector
Gordeychuk Maxim Igorevich
Phone: +375 162 26 97 98

Leading Assistant
Yushchuk Elena Viktorovna
Phone: +375 162 26 98 00

Head of the group
Semashkevich Galina Petrovna
Phone: +375 162 26 98 01

Leading economist
Kuchinskaya Natalya Serafimovna
Phone: +375 162 26 98 02

HOTLINE PHONE: 26 97 88, from 8:30 AM to 1:00 PM, from 2:00 PM to 5:30 PM,
EMAIL ADDRESS: uo@brest-region.gov.by,
WEBSITE ADDRESS: https://brest-edu.gov.by
, Location: Brest, Lenin St., 11

Head of the Main Directorate Natalya Anatolyevna Kalinovskaya, tel. 26 97 87, Office No. 105, 4th floor (station building)
Reception of citizens on the third Wednesday of the month from 8:00 to 13:00

First Deputy Head of the Main Directorate SAVICH Tatyana Alekseevna Tel. 26 97 89 Office No. 105 4th floor (station building)
Reception of citizens on the first Wednesday of the month from 8.00 to 13.00

Deputy Head of the Main Directorate Irina Aleksandrovna POPOVA Tel. 26 97 90 Office No. 116 4th floor (station building)
Reception of citizens the second Wednesday of the month from 8.00 to 13.00

Pre-registration for an appointment is carried out by Nadezhda Vladimirovna Sakharchuk,
tel. 26 97 88, Office No. 103, 4th floor (station building)

Municipal unitary enterprise
Children's Rehabilitation and Health Center "Kolos"
(KUP "Children's rehabilitation and health center "Kolos") APPROVED
Order of the Director of the State Unitary Enterprise "Kolos" Children's Health Center
from _03.03.2023 No. 75-P

OPERATOR POLICY 03.03.2023 No. 1
Khidrinsky village council, 22/5, Kobrin district

Regarding the processing of personal data

CHAPTER 1 GENERAL PROVISIONS

1. The personal data processing policy of the State Unitary Enterprise "Children's Rehabilitation and Health Center "Kolos" (hereinafter referred to as the Policy) defines the basic principles, goals, conditions and methods of processing personal data, the lists of subjects and personal data processed at the State Unitary Enterprise "Children's Rehabilitation and Health Center "Kolos" (hereinafter referred to as the State Unitary Enterprise "Children's Rehabilitation and Health Center "Kolos"), the functions of the State Unitary Enterprise "Children's Rehabilitation and Health Center "Kolos" in processing personal data, the rights of personal data subjects, as well as the requirements for the protection of personal data implemented at the State Unitary Enterprise "Children's Rehabilitation and Health Center "Kolos".
2. The policy has been developed taking into account the requirements of the Constitution of the Republic of Belarus, legislative and other regulatory legal acts of the Republic of Belarus in the field of personal data.
3. The provisions of the Policy serve as the basis for the development of local legal acts regulating the processing of personal data of employees of the Kolos State Unitary Enterprise of the Children's and Youth Center and other subjects of personal data in the Kolos State Unitary Enterprise of the Children's and Youth Center.

CHAPTER 2
LEGISLATIVE AND OTHER REGULATORY LEGAL ACTS OF THE REPUBLIC OF BELARUS, IN ACCORDANCE WITH WHICH IT IS DETERMINED
PERSONAL DATA PROCESSING POLICY AT THE KOLOS RESEARCH AND CARE CENTER

4. The personal data processing policy at the State Unitary Enterprise "Kolos" Children's Health Center is determined in accordance with the following regulatory legal acts:
Constitution of the Republic of Belarus; Labor Code of the Republic of Belarus;
Law of the Republic of Belarus dated 07.05.2021 No. 99-Z "On the Protection of Personal Data"; Law of the Republic of Belarus dated 21.07.2008 No. 418-Z "On the Population Register";
Law of the Republic of Belarus of 10.11.2008 No. 455-Z "On information, informatization and information protection";
other regulatory legal acts of the Republic of Belarus and regulatory documents of authorized state authorities.
5. In order to implement the provisions of the Policy, the State Unitary Enterprise "Kolos" Children's Health Center develops relevant local legal acts and other documents, including:
Regulation on the processing and protection of personal data in the State Unitary Enterprise "Kolos" Children's Health Center (Appendix 1);
Regulation on the procedure for ensuring confidentiality when processing information containing personal data (Appendix 2);
other local legal acts and documents regulating the KUP DROC
Kolos: questions on personal data processing.

CHAPTER 3
MAIN TERMS AND DEFINITIONS USED IN LOCAL LEGAL ACTS OF THE KULA DROTS "KOLOS" REGULATING THE ISSUES OF PERSONAL DATA PROCESSING

6. Biometric personal data - information characterizing the physiological and biological characteristics of a person, which is used for his unique identification (fingerprints, palm prints, iris, facial characteristics and its image, etc.).
7. Blocking personal data – terminating access to personal data without deleting it.
8. Genetic personal data - information related to the inherited or acquired genetic characteristics of a person, which contains unique data about his physiology or health and can be identified, in particular, during the examination of his biological sample.
9. Depersonalization of personal data - actions as a result of which it becomes impossible to determine the ownership of personal data by a specific subject of personal data without the use of additional information.
10. Processing of personal data – any action or set of actions performed with personal data, including collection, systematization, storage, modification, use, depersonalization, blocking, distribution, provision, and deletion of personal data.
11. Publicly available personal data - personal data distributed by the subject of personal data or with his consent, or distributed in accordance with the requirements of legislative acts.
12. Personal data - any information relating to an identified or identifiable individual.
13. Provision of personal data - actions aimed at familiarization with the personal data of a certain person or group of persons.
14. Dissemination of personal data - actions aimed at familiarizing an indefinite number of persons with personal data.
15. Special personal data - personal data relating to racial or national origin, political views, membership in trade unions, religious or other beliefs, health or sexual life, administrative or criminal liability, as well as biometric and genetic personal data.
16. Subject of personal data - an individual in relation to whom personal data is processed.
17. Cross-border transfer of personal data - transfer of personal data to the territory of a foreign state. Deletion of personal data - actions as a result of which it becomes impossible to restore personal data in information resources (systems) containing personal data, and (or) as a result of which tangible media containing personal data are destroyed.
18. An identifiable natural person is a natural person who can be directly or indirectly identified, in particular by reference to his surname, first name, patronymic, date of birth, identification number or one or more features specific to his physical, psychological, mental, economic, cultural or social identity.
19. Information – data (messages, data) regardless of the form of its presentation.
20. Automated processing of personal data - processing of personal data using computer technology.

CHAPTER 4
PRINCIPLES AND PURPOSES OF PERSONAL DATA PROCESSING

21. The State Unitary Enterprise "Kolos" Children's and Health Center, being the operator of personal data, processes the personal data of the employees of the State Unitary Enterprise "Kolos" Children's and Health Center and other subjects of personal data who are not in employment relations with the State Unitary Enterprise "Kolos".
22. The processing of personal data in the State Unitary Enterprise "Kolos" Children's and Health Center is carried out taking into account the need to ensure the protection of the rights and freedoms of employees of the State Unitary Enterprise "Kolos" Children's and Health Center and other subjects of personal data, including the protection of the right to privacy, personal and family secrets, based on the following principles:
the processing of personal data is carried out on a lawful and fair basis; the processing of personal data is carried out in proportion to the stated purposes of their processing and ensures a fair balance of interests of all interested parties at all stages of such processing;
the processing of personal data is carried out with the consent of the subject of personal data, except in cases provided for by legislative acts;
The processing of personal data is limited to achieving specific, pre-defined legitimate purposes. Processing of personal data that is incompatible with the originally stated purposes of processing is not permitted;
The content and volume of personal data processed correspond to the stated purposes of their processing. The personal data processed are not excessive in relation to the stated purposes of their processing;
The processing of personal data is transparent. The subject of personal data may be provided with relevant information regarding the processing of their personal data;
the operator takes measures to ensure the accuracy of the personal data processed by it and updates them if necessary;
Personal data are stored in a form that allows identification of the subject of personal data for no longer than required by the stated purposes of processing personal data.
23. Personal data are processed in the State Unitary Enterprise of the Children's Health and Recreation Center "Kolos" for the purposes of: ensuring compliance with the Constitution of the Republic of Belarus, legislative and other
regulatory legal acts of the Republic of Belarus, local legal acts of the KUP DROC
"Ear";
implementation of the functions, powers and duties assigned by the legislation of the Republic of Belarus to the State Unitary Enterprise "Kolos" Children's Health and Recreation Center, including the provision of personal data to government authorities, the Social Protection Fund of the Ministry of Labor and Social Protection of the Republic of Belarus, as well as to other government agencies;
regulation of labor relations with employees of the State Unitary Enterprise "Kolos" Children's Health Center (assistance in employment, training and career advancement, ensuring personal safety, monitoring the quantity and quality of work performed, ensuring the safety of property);
protection of life, health or other vital interests of personal data subjects;
preparation, conclusion, execution and termination of contracts with counterparties; ensuring access control and internal security at the facilities of the State Unitary Enterprise "Kolos" Children's Health Center;
formation of reference materials for internal information support of the activities of the State Unitary Enterprise of the Children's Health and Recreation Center "Kolos";
execution of judicial acts, acts of other bodies or officials subject to execution in accordance with the legislation of the Republic of Belarus on enforcement proceedings;
the exercise of rights and legitimate interests of the State Unitary Enterprise "Kolos" DROC within the framework of the implementation of activities provided for by the Charter and other local legal acts of the State Unitary Enterprise "Kolos" DROC, or the achievement of socially significant goals;
for other lawful purposes.

CHAPTER 5
LIST OF SUBJECTS WHOSE PERSONAL DATA IS PROCESSED AT THE KOLOS DROC
24. The personal data of the following categories of subjects are processed at the State Unitary Enterprise "Kolos" Children's Health Center:
employees of the structural divisions of the State Unitary Enterprise "Kolos" Children's Health Center;
other subjects of personal data (to ensure the implementation of the processing purposes specified in Chapter 4 of the Policy).

CHAPTER 6
LIST OF PERSONAL DATA PROCESSED AT THE DROC CU
"EAR"

25. The list of personal data processed in the State Unitary Enterprise of the Children's Health and Recreation Center "Kolos" is determined in accordance with the legislation of the Republic of Belarus and local legal acts of the State Unitary Enterprise of the Children's Health and Recreation Center "Kolos", taking into account the purposes of processing personal data specified in Chapter 4 of the Policy.
26. Processing of special personal data concerning religious or other beliefs, intimate life, as well as genetic personal data, in the KUP DROC
"Kolos" is not implemented.

CHAPTER 7
FUNCTIONS OF THE KUP DROC "KOLOS" IN THE PROCESSING OF PERSONAL DATA
27. When processing personal data, the State Unitary Enterprise "Kolos" Children's Health Center shall: take measures necessary and sufficient to ensure compliance with the requirements
legislation of the Republic of Belarus and local legal acts of the State Unitary Enterprise "Kolos" in the field of personal data;
takes legal, organizational and technical measures to protect personal data from unauthorized or accidental access, destruction, modification, blocking, copying, provision, distribution of personal data, as well as from other illegal actions in relation to personal data;
appoints a structural unit or person responsible for implementing internal control over the processing of personal data;
issues local legal acts that determine the policy and issues of processing and protecting personal data in the State Unitary Enterprise "Kolos" Children's Health Center;
familiarizes the employees of the State Unitary Enterprise "Kolos" DROC, who are directly involved in the processing of personal data, with the provisions of the legislation of the Republic of Belarus and local legal acts of the State Unitary Enterprise "Kolos" in the field of personal data, including the requirements for the protection of personal data, and trains the said employees;
publishes or otherwise provides unrestricted access to this Policy;
informs, in the prescribed manner, the subjects of personal data or their representatives of the availability of personal data related to the relevant subjects, provides the opportunity to become familiar with this personal data upon request and (or) receipt of requests from the said subjects of personal data or their representatives, unless otherwise established by the legislation of the Republic of Belarus;
ceases processing and destroys personal data in cases stipulated by the legislation of the Republic of Belarus in the field of personal data;
performs other actions provided for by the legislation of the Republic of Belarus in the field of personal data.

CHAPTER 8
TERMS OF PERSONAL DATA PROCESSING AT THE KOLOS DROC

28. Personal data in the State Unitary Enterprise "Kolos" Children's Health and Recreation Center are processed with the consent of the personal data subject to the processing of his personal data, unless otherwise provided by the legislation of the Republic of Belarus in the field of personal data.
29. The State Unitary Enterprise "Kolos" does not disclose or distribute personal data to third parties without the consent of the subject of personal data, unless otherwise provided by the legislation of the Republic of Belarus.
30. The State Unitary Enterprise "Kolos" Children's Health Center has the right to entrust the processing of personal data on its behalf or in its interests to an authorized person on the basis of an agreement concluded with this person.
The agreement must contain:
purposes of processing personal data;
a list of actions that will be performed with personal data by an authorized person;
obligations to maintain the confidentiality of personal data;
measures to ensure the protection of personal data in accordance with Article 17 of the Law of the Republic of Belarus dated 07.05.2021 No. 99-Z "On the Protection of Personal Data".
The authorized person is not required to obtain the consent of the personal data subject. If the processing of personal data on behalf of the State Unitary Enterprise "Kolos" Children's Health and Recreation Center requires the consent of the personal data subject, such consent is obtained by the State Unitary Enterprise "Kolos" Children's Health and Recreation Center.
31. For the purposes of internal information support, the State Unitary Enterprise "Kolos" Children's Health and Recreation Center may create internal reference materials, which, with the written consent of the personal data subject, unless otherwise provided by the legislation of the Republic of Belarus, may include his last name, first name, patronymic, place of work, position, year and place of birth, address, subscriber number, e-mail address, and other personal data reported by the personal data subject.
32. Access to personal data processed at the State Unitary Enterprise "Kolos" DROC is permitted only to employees of the State Unitary Enterprise "Kolos" DROC who occupy positions included in the list of positions of the structural divisions of the State Unitary Enterprise "Kolos" DROC, during the filling of which personal data is processed.
CHAPTER 9
LIST OF ACTIONS WITH PERSONAL DATA AND METHODS OF ITS PROCESSING

33. The State Unitary Enterprise "Kolos" Children's Health Center processes personal data (any action or set of actions performed with personal data, including collection, systematization, storage, modification, use, depersonalization, blocking, distribution, provision, and deletion of personal data).
34. Personal data in the State Unitary Enterprise "Kolos" Children's Health Center is processed in the following ways:
using automation tools;
without the use of automation tools, if this ensures the search for personal data and (or) access to them according to certain criteria (card indexes, lists, databases, journals, etc.).

CHAPTER 10
RIGHTS OF PERSONAL DATA SUBJECTS

35. Personal data subjects have the right to:
revocation of consent of the personal data subject;
obtaining information regarding the processing of personal data and changing personal data;
demanding termination of the processing of personal data and (or) their deletion; appealing the actions (inactions) and decisions of the operator related to the processing
personal data.

CHAPTER 11
MEASURES TAKEN BY THE KOLOS DROC CU TO ENSURE THE FULFILLMENT OF THE OPERATOR'S RESPONSIBILITIES WHEN PROCESSING PERSONAL DATA

36. Measures necessary and sufficient to ensure the implementation of the DROC CUP
The operator's responsibilities, as stipulated by the legislation of the Republic of Belarus in the field of personal data, include:
providing personal data subjects with the necessary information before obtaining their consent to the processing of personal data;
explaining to personal data subjects their rights related to the processing of personal data;
obtaining written consent from personal data subjects for the processing of their personal data, except in cases stipulated by the legislation of the Republic of Belarus;
appointment of a structural unit or a person responsible for internal control over the processing of personal data in the State Unitary Enterprise "Kolos" Children's Health Center;
publication of documents defining the policy of the State Unitary Enterprise "Kolos" Children's Health Center regarding the processing of personal data;
familiarization of employees directly processing personal data at the State Unitary Enterprise "Kolos" with the provisions of the legislation on personal data;
establishing the procedure for access to personal data, including those processed in the information resource (system);
implementation of technical and cryptographic protection of personal data in the State Unitary Enterprise "Kolos" Children's Health and Recreation Center in accordance with the procedure established by the Operational and Analytical Center under the President of the Republic of Belarus, in accordance with the classification of information resources (systems) containing personal data;
ensuring unlimited access, including through the use of the global computer network Internet, to documents defining the policy of the KUP DROC
"Kolos" in relation to the processing of personal data, prior to the commencement of such processing; termination of the processing of personal data in the absence of grounds for their processing;
immediate notification of the authorized body for the protection of the rights of personal data subjects about violations of personal data protection systems;
modification, blocking, deletion of inaccurate or illegally obtained personal data;
limiting the processing of personal data to the achievement of specific, pre-declared legitimate purposes;
storing personal data in a form that allows identification of personal data subjects for no longer than required by the stated purposes of processing personal data.
37. Measures to ensure the security of personal data when processing them in personal data information systems are established in accordance with local legal acts of the State Unitary Enterprise of the Kolos Children's and Youth Center, regulating issues of ensuring the security of personal data when processing them in personal data information systems of the State Unitary Enterprise of the Kolos Children's and Youth Center.
CHAPTER 12
CONTROL OVER COMPLIANCE WITH THE LEGISLATION OF THE REPUBLIC OF BELARUS AND LOCAL LEGAL ACTS OF THE KUP DROTS "KOLOS" IN THE REGION
PERSONAL DATA, INCLUDING PERSONAL DATA PROTECTION REQUIREMENTS

38. Monitoring of compliance by the structural divisions of the State Unitary Enterprise of the Children's and Youth Center "Kolos" with the legislation of the Republic of Belarus and local legal acts of the State Unitary Enterprise of the Children's and Youth Center "Kolos" in the field of personal data, including requirements for the protection of personal data, is carried out in order to verify compliance of the processing of personal data in the structural divisions of the State Unitary Enterprise of the Children's and Youth Center "Kolos" with the legislation of the Republic of Belarus and local legal acts of the State Unitary Enterprise of the Children's and Youth Center "Kolos" in the field of personal data, including requirements for the protection of personal data, as well as the measures taken aimed at preventing and identifying violations of the legislation of the Republic of Belarus in the field of personal data, identifying possible channels of leakage and unauthorized access to personal data, eliminating the consequences of such violations.
39. Internal control over compliance by structural divisions of the KUP DROC
"Kolos" legislation of the Republic of Belarus and local legal acts of the State Unitary Enterprise "Kolos" in the field of personal data, including requirements for the protection of personal data, is carried out by the person responsible for organizing the processing of personal data in the State Unitary Enterprise "Kolos".
40. Personal responsibility for compliance with the requirements of the legislation of the Republic of Belarus and local regulations of the State Unitary Enterprise "Kolos" in the field of personal data in the structural divisions of the State Unitary Enterprise "Kolos", as well as for ensuring the confidentiality and security of personal data in the said divisions of the State Unitary Enterprise "Kolos" is assigned to their managers.

Appendix 1
to the Operator's Policy
regarding the processing of personal data

Municipal Unitary Enterprise "Children's Rehabilitation and Health Center "Kolos"
(KUP "Children's rehabilitation and health center "Kolos") APPROVED
Order of the Director of the State Unitary Enterprise "Kolos" Children's Health Center dated March 3, 2023, No. 75-P

POSITION

03.03.2023 № _1_

Khidrinsky village council, 22/5
Kobrin district

On the processing and protection of personal data

CHAPTER 1 GENERAL PROVISIONS

1. This Regulation on the processing and protection of personal data (hereinafter referred to as
The Regulation defines the policy of the State Unitary Enterprise "Children's Rehabilitation and Health Center "Kolos" (hereinafter referred to as the Organization) regarding the processing of personal data, the procedure for the Organization to process personal data of persons who are not its employees, including the procedure for collecting, storing, using, transferring and protecting such data.
2. Streamlining the handling of personal data aims to ensure the rights and freedoms of citizens in the processing of personal data, maintaining the confidentiality of personal data and protecting it.
3. The Regulation and amendments to it are approved by the Director of the Organization.
4. The Regulation is a local legal act of the Organization, mandatory for compliance and execution by employees, as well as other persons involved in the processing of personal data in accordance with this Regulation.
5. The Regulation was developed on the basis of and in pursuance of:
Constitution of the Republic of Belarus; Labor Code of the Republic of Belarus;
Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data of 28 January 1981;
Charter of Fundamental Rights of the European Union of 12.12.2007;
Law of the Republic of Belarus dated 07.05.2021 No. 99-Z "On the Protection of Personal Data"; Law of the Republic of Belarus dated 21.07.2008 No. 418-Z "On the Population Register";
Law of the Republic of Belarus of 10.11.2008 No. 455-Z “On information, informatization and information protection”;
Law of the Republic of Belarus dated May 28, 2021 No. 114-Z "On Amendments to Laws on Labor Relations";
other regulatory legal acts of the Republic of Belarus.

CHAPTER 2 BASIC CONCEPTS

6. The following basic concepts and terms are used in these Regulations:
Organization or Operator – municipal unitary enterprise “Children's rehabilitation and health center “Kolos” located at the address: 225861, Brest region, Kobrin district, Khidrinsky rural council, 22/5;
personal data - any information relating to an identified individual or an individual who can be identified;
subject of personal data or subject - an individual who is not an employee of the Organization, to whom the personal data processed by the Organization relates;
processing of personal data - any action or set of actions performed with personal data, including collection, systematization, storage, modification, use, depersonalization, blocking, distribution, provision, deletion of personal data;
processing of personal data using automation tools - processing of personal data using computer technology, while such processing cannot be recognized as being carried out exclusively using automation tools solely on the basis that the personal data are contained in a personal data information system or were extracted from it;
processing of personal data without the use of automation tools - actions with personal data, such as use, clarification, distribution, destruction, carried out with the direct participation of a person, if this ensures the search for personal data and (or) access to them according to certain criteria (card indexes, lists, databases, journals, etc.);
dissemination of personal data - actions aimed at familiarizing an indefinite number of persons with personal data;
provision of personal data - actions aimed at familiarization with the personal data of a certain person or group of persons;
Blocking of personal data - termination of access to personal data without deleting it;
deletion of personal data - actions as a result of which it becomes impossible to restore personal data in information resources (systems) containing personal data, and (or) as a result of which the material carriers of personal data are destroyed;
depersonalization of personal data - actions as a result of which it becomes impossible to determine ownership without the use of additional information
personal data to a specific subject of personal data;
cross-border transfer of personal data - transfer of personal data to the territory of a foreign state;
identifiable natural person - a natural person who can be directly or indirectly identified, in particular through a surname, first name, patronymic, date of birth, identification number, or through one or more
characteristics characteristic of his physical, psychological, mental, economic, cultural or social identity.

CHAPTER 3
CATEGORIES OF PERSONAL DATA SUBJECTS

7. The organization processes personal data of the following categories of subjects: relatives of employees;
job candidates;
employees and other representatives of the Organization;
employees and other representatives of counterparties - legal entities; counterparties - individuals;
consumers;
other entities whose interaction with the Operator creates the need to process personal data.

CHAPTER 4
CONTENT AND SCOPE OF PERSONAL DATA

8. The content and volume of personal data of each category of subjects is determined by the need to achieve specific purposes of their processing, as well as the need for the Organization to realize its rights and obligations, as well as the rights and obligations of the relevant subject.
9. Personal data of employees’ relatives include: last name, first name, patronymic;
date of birth; citizenship;
passport data or data of another identity document (series, number, date of issue, name of the authority that issued the document, etc.);
information on marital status and family composition, indicating the last names, first names and patronymics of family members, date of birth, place of work and/or study;
information on registration at the place of residence (including address, date of registration); information on the place of actual residence;
number and series of the state social insurance certificate; medical information (in cases stipulated by law); information on social benefits and payments;
contact information (including work, home and/or mobile phone numbers, email, etc.);
10. Personal data of job candidates includes: last name, first name, patronymic (as well as all previous last names);
date and place of birth; citizenship;
passport data or data of another identity document (series, number, date of issue, name of the authority that issued the document, etc.);
birth certificate details (number, date of issue, name of the authority that issued the document, etc.);
floor;
information on marital status and family composition, indicating the last names, first names and patronymics of family members, date of birth, place of work and (or) study;
information on registration at the place of residence (including address, date of registration); information on the place of actual residence;
number and series of the state social insurance certificate; information on education, advanced training and professional retraining,
academic degree, academic title; taxpayer identification number;
information on work experience (including length of service and work experience, employment data indicating position, department, information about the employer, etc.);
specialty, profession, qualification; military registration information;
medical information (in cases provided by law); biometric personal data (including photographs, images from cameras
video surveillance, voice recording);
information on social benefits and payments;
contact information (including home and/or mobile phone numbers, email, etc.);
information on awards and incentives;
information provided by the candidate himself during the completion of personality questionnaires and psychometric testing activities, as well as the results of such testing (psychometric profile, abilities and characteristics);
other information that may be indicated in the candidate’s resume or application form.
11. Personal data of employees and other representatives of the Organization include: last name, first name, patronymic (as well as all previous last names);
date of birth; citizenship;
passport data or data of another identity document (series, number, date of issue, name of the authority that issued the document, etc.);
data on visas and other migration registration documents; gender;
information about the place of stay;
biometric personal data (including photographs, images from CCTV cameras, voice recordings);
information on social benefits and payments;
contact information (including work and/or mobile phone numbers, email, etc.);
other data necessary for the fulfillment of mutual rights and obligations.
12. Personal data of employees and other representatives of counterparties - legal entities include:
last name, first name, patronymic;
passport data or data of another identity document (series, number, date of issue, name of the authority that issued the document, etc.);
information on registration at the place of residence (including address, date of registration); contact information (including work, home and (or) mobile phone numbers,
email, etc.); position;
other data necessary for the fulfillment of mutual rights and obligations between the Organization and the counterparty.
13. Personal data of counterparties - individuals include: last name, first name, patronymic;
citizenship;
passport data or data of another identity document (series, number, date of issue, name of the authority that issued the document, etc.);
information on registration at the place of residence (including address, date of registration); number and series of the state social insurance certificate;
information on education, advanced training and professional retraining, academic degree, academic title;
bank account details; taxpayer identification number; specialty, profession, qualification;
contact information (including home and/or mobile phone numbers, email, etc.);
details of the certificate of registration of ownership;
other data necessary for the fulfillment of mutual rights and obligations between the Organization and the counterparty.
14. Personal data of consumers includes:
last name, first name, patronymic; contact information; date of birth;
gender; height, weight;
other data necessary for registration and analysis of the request.
4.8. Personal data of other subjects includes:
last name, first name, patronymic;
contact information (including home and/or mobile phone numbers, email, etc.);
passport data or data of another identity document (series, number, date of issue, name of the authority that issued the document, etc.);
information on registration at the place of residence (including address, date of registration); number and series of the state social insurance certificate;
information on education, advanced training and professional retraining, academic degree, academic title;
bank account details; taxpayer identification number; specialty, profession, qualification;
other data necessary for the fulfillment of mutual rights and obligations between the Organization and the counterparty.

CHAPTER 5
PRINCIPLES OF PERSONAL DATA PROCESSING

15. The processing of personal data of subjects is based on the following principles: personal data is processed in accordance with the Law of the Republic of Belarus dated 07.05.2021 No. 99-Z "On the Protection of Personal Data" and other legislative acts; the processing of personal data must be proportionate to the stated purposes of their processing and ensure a fair balance of interests of all interested parties at all stages of such processing;
Personal data is processed with the consent of the subject of personal data, except for cases provided for by the Law of the Republic of Belarus dated 07.05.2021 No. 99-Z
"On the protection of personal data" and other legislative acts;
The processing of personal data must be limited to achieving specific, pre-defined legitimate purposes. Processing of personal data that is incompatible with the originally stated purposes of processing is not permitted;
The content and volume of personal data processed must correspond to the stated purposes of their processing. The personal data processed must not be excessive in relation to the stated purposes of their processing;
The processing of personal data must be transparent. For these purposes, the subject of personal data, in cases stipulated by the Law of the Republic of Belarus dated 07.05.2021 No. 99-Z "On the Protection of Personal Data," is provided with relevant information regarding the processing of his or her personal data;
the operator is obliged to take measures to ensure the accuracy of the personal data processed by it and, if necessary, update them;
Personal data must be stored in a form that allows identification of the subject of personal data, no longer than required by the stated purposes of processing personal data.

CHAPTER 6
PURPOSES OF PERSONAL DATA PROCESSING

16. Personal data of personal data subjects are processed for the following purposes:
performance of functions, powers and duties assigned to the Organization by the legislation of the Republic of Belarus and international treaties of the Republic of Belarus;
provision of benefits and compensation to relatives of employees; identification of conflicts of interest;
consideration of employment opportunities for candidates; maintaining a personnel reserve;
screening of candidates (including their qualifications and work experience); organization and support of business trips;
holding events and ensuring the participation of personal data subjects in them; ensuring security, preserving material assets and preventing
offenses;
issuance of powers of attorney and other authorizing documents; conducting negotiations, concluding and executing contracts; checking the counterparty;
advertising and promotion of products, including provision of information about the Organization’s products;
Processing of claims and information on product safety; Processing of complaints about adverse events and side effects; Performance of duties of a tax agent;
other purposes aimed at ensuring compliance with employment contracts, laws and other regulatory legal acts.
17. Personal data is processed solely for one or more specified legitimate purposes. If personal data has been collected and processed for a specific purpose, the use of this data for other purposes requires the personal data subject's notification and, if necessary, new consent to the processing.
18. Personal data may be processed for other purposes if this is necessary to ensure compliance with the law.

CHAPTER 7
RULES FOR PROCESSING PERSONAL DATA

19. General rules.
19.1. Personal data are processed using mixed processing (both with and without the use of automation tools), including using the internal network and the Internet.
19.2. In cases established by the legislation of the Republic of Belarus, the main condition for the processing of personal data is obtaining the consent of the relevant subject of personal data, including in written form.
19.3. The written consent of the personal data subject to the processing of his personal data must include:
last name, first name, patronymic (if any); date of birth;
identification number, or if there is no such number, the number of the document certifying his identity;
signature of the personal data subject.
If the purposes of processing personal data do not require processing of information, this information is not processed by the operator upon receipt of the consent of the personal data subject.
19.4. The consent of the personal data subject to the processing of his personal data, with the exception of special personal data, is not required in the following cases:
for the purposes of conducting administrative and (or) criminal proceedings, and implementing operational-search activities;
for the administration of justice, enforcement of court orders and other executive documents;
for the purpose of exercising control (supervision) in accordance with legislative acts; in the implementation of the norms of legislation in the field of national security, on combating
corruption, on the prevention of money laundering, the financing of terrorist activities and the financing of the proliferation of weapons of mass destruction;
when implementing the provisions of legislation on elections, referendums, recall of a deputy of the House of Representatives, a member of the Council of the Republic of the National Assembly of the Republic of Belarus, a deputy of the local Council of Deputies;
to maintain individual (personalized) records of information on insured persons for the purposes of state social insurance, including professional pension insurance;
when formalizing labor (service) relations, as well as in the process of labor (service) activities of the subject of personal data in cases provided for by law;
to carry out notarial activities;
when considering issues related to citizenship of the Republic of Belarus, granting refugee status, subsidiary protection, asylum and temporary protection in the Republic of Belarus;
for the purposes of assigning and paying pensions and benefits;
for organizing and conducting state statistical observations, generating official statistical information;
for scientific or other research purposes, subject to mandatory anonymization of personal data;
when recording, calculating and charging fees for housing and communal services, fees for the use of residential premises and reimbursement of electricity costs, fees for other services and tax reimbursement, as well as when providing benefits and collecting arrears in fees for housing and communal services, fees for the use of residential premises and reimbursement of electricity costs;
when the operator receives personal data on the basis of an agreement concluded (being concluded) with the subject of personal data, for the purpose of performing actions established by this agreement;
when processing personal data, when they are specified in a document addressed to the operator and signed by the subject of personal data, in accordance with the content of such document;
for the implementation of the lawful professional activities of a journalist and (or) the activities of a mass media outlet, an organization carrying out publishing activities, aimed at protecting the public interest, which is the need of society to detect and disclose information about threats to national security, public order, public health and the environment, information that affects the performance of their duties by government officials holding a responsible position, public figures, with the exception of cases provided for by civil procedural, economic procedural, criminal procedural legislation, legislation determining the procedure for administrative proceedings;
to protect the life, health or other vital interests of the subject of personal data or other persons, if obtaining the consent of the subject of personal data is impossible;
in relation to previously disseminated personal data until the subject of the personal data submits requests to stop processing the disseminated personal data, as well as to delete them in the absence of other grounds for processing personal data provided for by the Law of the Republic of Belarus dated 07.05.2021 No. 99-Z
"On the protection of personal data" and other legislative acts;
in cases where the processing of personal data is necessary for the performance of duties (powers) provided for by legislative acts;
in cases where the Law of the Republic of Belarus dated 07.05.2021 No. 99-Z "On the Protection of Personal Data" and other legislative acts expressly provide for the processing of personal data without the consent of the subject of personal data.
19.5. Processing of special personal data without the consent of the personal data subject is prohibited, with the exception of the following cases:
if special personal data are made publicly available personal data by the subject of personal data;
when formalizing labor (service) relations, as well as in the process of labor (service) activities of the subject of personal data in cases provided for by law;
when public associations, political parties, trade unions, and religious organizations process personal data of their founders (members) to achieve their statutory goals, provided that these data are not subject to dissemination without the consent of the subject of the personal data;
for the purpose of organizing the provision of medical care, provided that such personal data is processed by a medical, pharmaceutical or other healthcare worker who is responsible for ensuring the protection of personal data and who is subject to the obligation to maintain medical confidentiality in accordance with the law;
for the administration of justice, the execution of court orders and other executive documents, the execution of an executive inscription, and the registration of inheritance rights;
for the purposes of conducting administrative and (or) criminal proceedings, and implementing operational-search activities;
in cases stipulated by criminal-executive legislation, legislation in the field of national security, on defense, on the fight against corruption, on the fight against terrorism and countering extremism, on the prevention of legalization of proceeds from crime, the financing of terrorist activities and the financing of the proliferation of weapons of mass destruction, on the State Border of the Republic of Belarus, on citizenship, on the procedure for leaving the Republic of Belarus and entering the Republic of Belarus, on refugee status, additional protection, asylum and temporary protection in the Republic of Belarus;
in order to ensure the functioning of a unified state system for registration and recording of offenses;
for the purpose of maintaining forensic records;
for organizing and conducting state statistical observations, generating official statistical information;
to carry out administrative procedures;
in connection with the implementation of international treaties of the Republic of Belarus on readmission; when documenting the population;
to protect the life, health or other vital interests of the subject of personal data or other persons, if obtaining the consent of the subject of personal data is impossible;
in cases where the processing of special personal data is necessary for the performance of duties (powers) provided for by legislative acts;
in cases where the Law of the Republic of Belarus dated 07.05.2021 No. 99-Z "On the Protection of Personal Data" and other legislative acts expressly provide for the processing of special personal data without the consent of the subject of the personal data.
The processing of special personal data is permitted only if a set of measures is taken to prevent risks that may arise during the processing of such personal data for the rights and freedoms of personal data subjects.
19.6. Collection of personal data.
19.6.1. The source of information about all personal data is directly the subject of the personal data.
19.6.2. Unless otherwise provided by the Law of the Republic of Belarus dated 07.05.2021 No. 99-Z
"On the protection of personal data", the Organization has the right to receive personal data of the subject of personal data from third parties only upon notification of the subject or in the presence of the subject's written consent to receive his personal data from third parties.
19.6.3. Notification to the subject of personal data about the receipt of his personal data from third parties must contain:
the name of the Operator and its location address;
the purpose of processing personal data and its legal basis; intended users of personal data; the statutory rights of the subject of personal data; the source of obtaining personal data.
19.7. Storage of personal data.
19.7.1. When storing personal data, conditions must be observed that ensure the safety of personal data.
19.7.2. Documents containing personal data stored on paper are stored in designated locations with limited access under conditions that ensure their protection from unauthorized access. The Organization determines the location for storing documents.
19.7.3. Personal data stored electronically is protected from unauthorized access using specialized technical and software protection measures. Storage of personal data in electronic form outside of the Organization's information systems and databases specifically designated by the Organization (non-systemic storage of personal data) is prohibited.
19.7.4. Personal data must be stored in a form that allows identification of the subject of personal data, but no longer than required for the purposes of their processing, unless another period is established by the legislation of the Republic of Belarus or an agreement to which the subject of personal data is a party, beneficiary or guarantor.
19.7.5. Unless otherwise provided by law, processed personal data shall be destroyed or anonymized upon achievement of the processing purposes, in the event of loss of need to achieve these purposes, or upon expiration of the storage periods.
19.7.6. The destruction or depersonalization of personal data must be performed in a manner that precludes further processing of this personal data. However, if necessary, the ability to process other data stored on the relevant tangible medium (deletion, erasure) must be retained.
19.7.7. If it is necessary to destroy or block part of the personal data, the physical medium shall be destroyed or blocked with a preliminary copy of the information not subject to destruction or blocking, in a manner that excludes the simultaneous copying of the personal data subject to destruction or blocking.
19.7.8. If it is necessary to destroy or block part of the personal data, the physical medium shall be destroyed or blocked with a preliminary copy of the information not subject to destruction or blocking, in a manner that excludes the simultaneous copying of the personal data subject to destruction or blocking.
19.8. Use.
19.8.1. Personal data is processed and used for the purposes specified in clause 6.1 of the Regulation.
19.8.2. Access to personal data is granted only to those employees of the Organization whose job responsibilities require working with personal data, and only for the period necessary to work with the relevant data. The list of such individuals is determined by the Organization.
19.8.3. If access to personal data must be granted to employees not included in the list of persons with access to personal data, they may be granted temporary access to a limited range of personal data by order of the company's director or another person authorized by the company's director. Relevant employees must be familiarized with all local legal acts of the Organization regarding personal data and must sign a non-disclosure agreement.
19.8.4. Employees processing personal data without the use of automation tools are informed (including by familiarizing themselves with this Regulation) about the fact that they are processing personal data, the categories of personal data being processed, as well as the specifics and rules for carrying out such processing established by law and this Regulation.
19.8.5. Employees of the Organization who do not have properly issued clearance are prohibited from accessing personal data.
19.8.6. If it is necessary to use or distribute certain personal data separately from other personal data located on the same tangible medium, the personal data subject to distribution or use are copied in a manner that excludes the simultaneous copying of personal data not subject to distribution and use, and a copy of the personal data is used (distributed).
19.8.7. The clarification of personal data during their processing without the use of automated means is carried out by updating or changing the data on a tangible medium, and if this is not permitted by the technical features of the tangible medium, by recording on the same tangible medium information about the changes made to them or by producing a new tangible medium with the clarified personal data.
19.9. Transfer.
19.9.1. The transfer of personal data of subjects to third parties is permitted in the minimum necessary volumes and only for the purpose of performing tasks that correspond to the objective reason for collecting this data.
19.9.2. The transfer of personal data to third parties, including for commercial purposes, is permitted only with the consent of the subject or other legal basis.
19.9.3. When transferring personal data to third parties, the subject must be notified of such transfer, except in cases specified by law, in particular if:
the subject of personal data is notified of the processing of his personal data by the operator who received the relevant data from the Organization;
personal data are made publicly available by the personal data subject or are obtained from a publicly available source;
Personal data are processed for statistical or other research purposes, for the implementation of professional activities of a journalist or scientific, literary or other creative activities, if this does not violate the rights and legitimate interests of the subject of personal data.
19.9.4. Information containing personal data must be transferred in a manner that ensures protection from unauthorized access, destruction, modification, blocking, copying, distribution, and other illegal actions in relation to such information.
19.9.5. Cross-border transfer of personal data is prohibited if the territory of a foreign state does not ensure an adequate level of protection of the rights of personal data subjects, except in cases where:
the consent of the subject of personal data is given, provided that the subject of personal data is informed of the risks arising from the lack of an adequate level of protection;
personal data were obtained on the basis of an agreement concluded (being concluded) with the subject of personal data, for the purpose of performing the actions established by this agreement;
Personal data may be obtained by any person by sending a request in the cases and manner provided for by law;
such transfer is necessary to protect the life, health or other vital interests of the subject of personal data or other persons, if obtaining the consent of the subject of personal data is impossible;
personal data are processed within the framework of the implementation of international treaties of the Republic of Belarus;
such transfer is carried out by the financial monitoring body for the purpose of taking measures to prevent the laundering of proceeds from crime, the financing of terrorist activities and the financing of the proliferation of weapons of mass destruction in accordance with the law;
the relevant permission from the authorized body for the protection of the rights of personal data subjects has been received.
19.9.6. Individuals receiving personal data must be warned that this data may only be used for the purposes for which it was provided and in a confidential manner. The Organization has the right to require these individuals to confirm that this rule has been observed.
19.9.7. In cases where government agencies have the right to request personal data, or personal data must be provided by law, as well as in accordance with a court request, the relevant information may be provided to them in the manner prescribed by the legislation of the Republic of Belarus.
19.9.8. All incoming requests must be forwarded to the person responsible for organizing the processing of personal data in the Organization for preliminary review and approval.
19.9 Processing order.
19.9.1. The organization has the right to entrust the processing of personal data to an authorized person
face.
19.9.2. In the agreement between the operator and the authorized person, legislative act
or the decision of a government agency must determine: the purposes of processing personal data;
a list of actions that will be performed with personal data by an authorized person;
obligations to maintain the confidentiality of personal data;
measures to ensure the protection of personal data in accordance with Article 17 of the Law of the Republic of Belarus dated 07.05.2021 No. 99-Z "On the Protection of Personal Data".
19.9.3. The authorized person is not required to obtain the consent of the personal data subject. If the processing of personal data on behalf of the operator requires the consent of the personal data subject, such consent shall be obtained by the operator.
19.9.4. If the operator entrusts the processing of personal data to an authorized person, the operator is responsible to the personal data subject for the actions of such person. The authorized person is responsible to the operator.
19.10. Protection.
19.10.1. The protection of personal data is understood as a series of legal, organizational and technical measures aimed at:
ensuring the protection of information from unauthorized access, destruction, modification, blocking, copying, provision, distribution, as well as from other illegal actions in relation to such information;
Maintaining confidentiality of restricted information; exercising the right to access information.
19.10.2. To protect personal data, the Organization takes the necessary measures provided by law (including, but not limited to):
limits and regulates the composition of employees whose functional duties require access to information containing personal data (including through the use of passwords for access to electronic information resources);
provides conditions for storing documents containing personal data in a restricted access location;
organizes the procedure for the destruction of information containing personal data, if the legislation does not establish requirements for the storage of the relevant data;
monitors compliance with the requirements for ensuring the security of personal data, including those established by this Regulation (by conducting internal audits, establishing special monitoring tools, etc.);
Conducts investigations into cases of unauthorized access or disclosure of personal data, holding the guilty employees accountable and taking other measures;
implements software and hardware for protecting information in electronic form; ensures the ability to restore modified personal data
or destroyed as a result of unauthorized access to them.
19.10.3. To protect personal data when processed in information systems, the Organization carries out the necessary measures provided by law (including, but not limited to):
identification of threats to the security of personal data during their processing;
the application of organizational and technical measures to ensure the security of personal data when processing them in personal data information systems, necessary to meet the requirements for the protection of personal data;
accounting of machine-readable media of personal data;
detection of facts of unauthorized access to personal data and acceptance
measures;
restoration of personal data that has been modified or destroyed
due to unauthorized access to them;
establishing rules for access to personal data processed in the personal data information system, as well as ensuring the registration and accounting of all actions performed with personal data in the personal data information system.
19.10.4. The Organization has appointed persons responsible for the processing of personal data.
19.10.5. The Organization takes other measures aimed at ensuring the fulfillment of obligations in the field of personal data, as stipulated by the legislation of the Republic of Belarus.

CHAPTER 8
RIGHTS AND RESPONSIBILITIES OF PERSONAL DATA SUBJECTS
20. The subject of personal data has the right to:
20.1. at any time without explanation, revoke your consent by submitting an application to the operator in the manner prescribed by Article 14 of the Law of the Republic of Belarus dated 07.05.2021
No. 99-Z “On the protection of personal data”, or in the form through which his consent was obtained;
20.2. to receive information regarding the processing of their personal data, containing:
name (last name, first name, patronymic (if any)) and location (address of place of residence (place of stay)) of the operator;
confirmation of the fact of processing personal data by the operator (authorized person);
his personal data and the source of its receipt; legal grounds and purposes of processing personal data; the period for which his consent is given;
the name and location of the authorized person, who is a government agency, a legal entity of the Republic of Belarus, or another organization, if the processing of personal data is entrusted to such person;
other information required by law;
20.3. Request that the operator amend their personal data if it is incomplete, outdated, or inaccurate. For these purposes, the personal data subject shall submit an application to the operator in accordance with the procedure established by Article 14 of the Law of the Republic of Belarus dated 07.05.2021 No. 99-Z "On the Protection of Personal Data", with the relevant documents and/or their duly certified copies confirming the need to amend the personal data;
20.4. Receive information from the operator about the provision of their personal data to third parties once per calendar year free of charge, unless otherwise provided by the Law of the Republic of Belarus dated 07.05.2021 No. 99-Z "On the Protection of Personal Data" and other legislative acts. To obtain this information, the personal data subject submits an application to the operator.
The application of the personal data subject must contain:
the surname, first name, patronymic (if any) of the subject of personal data, address of his place of residence (place of stay);
date of birth of the personal data subject;
identification number of the personal data subject, or, in the absence of such number, the number of the identity document of the personal data subject, in cases where this information was indicated by the personal data subject when giving his consent to the operator or the processing of personal data is carried out without the consent of the personal data subject;
statement of the essence of the requirements of the personal data subject;
personal signature or electronic digital signature of the subject of personal data;
20.5. demand that the operator stop processing their personal data free of charge, including deleting it, if there are no grounds for processing personal data stipulated by the Law of the Republic of Belarus dated 07.05.2021 No. 99-Z "On the Protection of Personal Data" and other legislative acts. To exercise this right, the personal data subject submits an application to the operator in the manner prescribed by the Law of the Republic of Belarus dated 07.05.2021 No. 99-Z "On the Protection of Personal Data";
20.6. appeal the actions (inactions) and decisions of the operator that violate his rights when processing personal data to the authorized body for the protection of the rights of subjects
personal data in accordance with the procedure established by law on appeals from citizens and legal entities.
21. The right of a subject to access his personal data may be limited in accordance with the legislation of the Republic of Belarus.
22. All requests from subjects or their representatives in connection with the processing of their personal data are registered in the relevant journal.
23. The subject of personal data is obliged to:
provide the Organization with reliable personal data;
promptly inform the Organization about changes and additions to their personal data;
exercise their rights in accordance with the legislation of the Republic of Belarus and local legal acts of the Organization in the field of processing and protection of personal data;
perform other duties stipulated by the legislation of the Republic of Belarus and local legal acts of the Organization in the field of processing and protection of personal data.

CHAPTER 9
RIGHTS AND RESPONSIBILITIES OF THE ORGANIZATION

24. The organization has the right to:
establish rules for the processing of personal data in the Organization, make amendments and additions to the Regulation, independently, within the framework of legal requirements, develop and apply forms of documents necessary for the performance of the duties of the operator;
exercise other rights provided for by the legislation of the Republic of Belarus and local legal acts of the Organization in the field of processing and protection of personal data.
25. The organization is obliged to:
explain to the subject of personal data his rights related to the processing of personal data;
obtain the consent of the subject of personal data, except for cases provided for by the Law of the Republic of Belarus dated 07.05.2021 No. 99-Z "On the Protection of Personal Data" and other legislative acts;
ensure the protection of personal data during their processing;
provide the subject of personal data with information about his personal data, as well as about the provision of his personal data to third parties, with the exception of cases provided for by the Law of the Republic of Belarus dated 07.05.2021 No. 99-Z "On the Protection of Personal Data" and other legislative acts;
make changes to personal data that are incomplete, outdated or inaccurate, except in cases where a different procedure for making changes to personal data is established by legislative acts or if the purposes of processing personal data do not require subsequent changes to such data;
stop processing personal data, as well as delete or block it (ensure that the processing of personal data is stopped, as well as its deletion or blocking by an authorized person) in the absence of grounds for processing personal data provided for by the Law of the Republic of Belarus dated 07.05.2021 No. 99-Z
"On the protection of personal data" and other legislative acts;
notify the authorized body for the protection of the rights of personal data subjects of violations of personal data protection systems immediately, but no later than 3 working days after the operator became aware of such violations, except in cases stipulated by the authorized body for the protection of the rights of personal data subjects;
to change, block or delete inaccurate or illegally obtained personal data of a personal data subject at the request of the authorized body for the protection of the rights of personal data subjects, unless another procedure for making changes to personal data, blocking or deleting them is established by legislative acts;
comply with other requirements of the authorized body for the protection of the rights of personal data subjects to eliminate violations of personal data legislation;
perform other duties stipulated by the Law of the Republic of Belarus dated 07.05.2021 No. 99-Z "On the Protection of Personal Data" and other legislative acts.

CHAPTER 10 RESPONSIBILITY

26. Persons guilty of violating the Law of the Republic of Belarus dated 07.05.2021 No. 99-Z
"On the protection of personal data", bear responsibility as provided for by legislative acts.
27. Employees and other persons guilty of violating this Regulation, as well as the legislation of the Republic of Belarus in the field of personal data, may be subject to disciplinary and material liability in the manner established by the Labor Code of the Republic of Belarus, and may also be subject to civil, administrative and criminal liability in the manner established by the legislation of the Republic of Belarus.

Appendix 2
to the Operator's Policy
regarding the processing of personal data


Municipal unitary enterprise
Children's Rehabilitation and Health Center "Kolos"
(KUP "Children's rehabilitation and health
Kolos Center) APPROVED
Order of the Director of the State Unitary Enterprise "Kolos" Children's Health Center
from 03.03.2023 No. 75-P


REGULATION 03.03.2023 No. 2
Khidrinsky village council, 22/5
Kobrin district

On the procedure for ensuring confidentiality
when processing information containing personal data

CHAPTER 1 GENERAL PROVISIONS

1. These Regulations establish the methods of ensuring security during the processing of personal data, which are any action or set of actions performed with personal data, including the collection, systematization, storage, modification, use, depersonalization, blocking, distribution, provision, and deletion of personal data, used in the municipal unitary enterprise "Children's Rehabilitation and Health Center "Kolos" (hereinafter referred to as the Organization),.
2. These Regulations have been developed on the basis of: the Constitution of the Republic of Belarus;
Labor Code of the Republic of Belarus,
Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data of 28 January 1981;
Charter of Fundamental Rights of the European Union of 12.12.2007;
Law of the Republic of Belarus dated 07.05.2021 No. 99-Z "On the Protection of Personal Data"; Law of the Republic of Belarus dated 21.07.2008 No. 418-Z "On the Population Register";
Law of the Republic of Belarus of 10.11.2008 No. 455-Z “On information, informatization and information protection”;
Law of the Republic of Belarus dated May 28, 2021 No. 114-Z "On Amendments to Laws on Labor Relations";
other regulatory legal acts of the Republic of Belarus.
3. In accordance with the legislation of the Republic of Belarus, personal data means any information related to an identified individual or an individual who can be identified, including his/her last name, first name, patronymic, year, month, date and place of birth, address, family, social, property status, education, profession, income, and other information necessary for the Organization in connection with labor relations.
4. The requirement to ensure confidentiality when processing personal data means a mandatory requirement for officials of the Organization authorized to process personal data and other persons who have gained access to personal data not to allow their dissemination without the consent of the subject of the personal data or the presence of other legal grounds.
5. Ensuring the confidentiality of personal data is not required in the event of: depersonalization of personal data (actions that result in
it is impossible to determine the ownership of personal data by a specific subject of personal data without the use of additional information);
for publicly available personal data (personal data distributed by the subject of personal data or with his consent or distributed in accordance with the requirements of legislative acts).
6. The lists of personal data and those responsible for the storage and processing of personal data are approved by order of the Director of the Organization.
The processing and storage of confidential data by persons not specified in the order is prohibited.
7. In order to ensure compliance with the requirements of confidentiality and security when processing personal data, the Organization provides officials working with personal data with the necessary conditions for fulfilling the specified requirements:
familiarizes the employee with the requirements of the Operator's Policy regarding the processing of personal data of the State Unitary Enterprise "Kolos" Children's Health Center, with the Regulation on processing and
protection of personal data of the State Unitary Enterprise "Kolos" Children's Health and Recreation Center, with this Regulation on the procedure for ensuring confidentiality when processing information containing personal data, with the job description and other local legal acts of the Organization in the field of ensuring the confidentiality and security of personal data;
represents storage for documents, means for accessing information resources (keys, passwords, etc.);
teaches the rules for operating information security tools; carries out other necessary activities.
8. The Organization's officials working with personal data are prohibited from disclosing them verbally or in writing to anyone unless it is necessary for official purposes. After the document is prepared and submitted, draft files and

Document versions are transferred by the employee who prepared them to labeled media intended for storing personal data.
Without the consent of the head of the structural unit, the creation and storage of databases (card indexes, file archives, etc.) containing confidential data is prohibited.
9. Officials of the Organization working with personal data are obliged to use information about personal data solely for purposes related to the performance of their work duties.
10. Upon termination of a work function related to the processing of personal data, all information carriers containing personal data (originals and copies of documents, machine and paper media, etc.) that were at the disposal of the official in connection with the performance of official duties, the said employee must transfer to his immediate supervisor.
11. The transfer of personal data to third parties is permitted only in cases established by the legislation of the Republic of Belarus, the Operator's Policy regarding the processing of personal data of the State Unitary Enterprise "Kolos", the Regulation on the processing and protection of personal data of the State Unitary Enterprise "Kolos", the Regulation on the procedure for ensuring confidentiality when processing information containing personal data of the State Unitary Enterprise "Kolos", the job description and other local legal acts of the Organization in the field of ensuring the confidentiality and security of personal data
The transfer of personal data is carried out by the official of the Organization responsible for the processing of personal data on the basis of a written or oral instruction from the head of the structural unit.
12. The transfer of information and documents containing personal data is formalized by drawing up an act in the established form.
13. The official who has provided personal data to third parties shall send a written notice to the subject of personal data about the fact of transfer of his data to third parties.
14. The transfer of personal data by telephone, fax, or e-mail is prohibited, except in cases established by law and local legal acts in force in the Organization.
Responses to inquiries from citizens and organizations are provided to the extent that personal data is not disclosed in the responses, with the exception of data contained in the applicant's materials or published in publicly available sources.
15. Officials of the Organization working with personal data are obliged to immediately notify their immediate supervisor and/or the chief information security specialist of all facts that have become known to them regarding unauthorized access by third parties or attempts to gain access to personal data, the loss or shortage of information carriers containing personal data, identification cards, passes, keys to safes (storage facilities), personal seals, electronic keys and other facts that may lead to unauthorized access to personal data, as well as the reasons and conditions for a possible leak of this information.
16. Officials processing personal data shall bear disciplinary, administrative, civil or criminal liability for failure to comply with the requirements of confidentiality and protection of personal data in accordance with the legislation of the Republic of Belarus.
17. Lack of control by the Organization over the proper performance by the employee of his duties in the area of ​​ensuring confidentiality and security

personal data does not relieve the employee from such obligations and liability provided for by the legislation of the Republic of Belarus.

CHAPTER 2
PROCEDURE FOR ENSURING SECURITY IN THE PROCESSING OF PERSONAL DATA CARRIED OUT WITHOUT THE USE OF AUTOMATION TOOLS

18. The processing of personal data, including personal data contained in an information system or extracted from such a system, is considered to be carried out without the use of automation tools (non-automated), if such processing is carried out with the direct participation of a person.
19. The head of the structural unit that processes personal data without the use of automation tools:
determines the storage locations of personal data (physical media); monitors the availability of conditions in the structural unit that ensure
the safety of personal data and preventing unauthorized access to it; informs persons processing personal data without the use of
automation tools, the list of personal data processed, as well as the features and rules for implementing such processing;
organizes separate, i.e. non-mixing, storage of tangible personal data carriers (documents, disks, floppy disks, USB flash drives, etc.), the processing of which is carried out for various purposes.
20. When recording personal data on tangible media, it is prohibited to record on the same tangible media personal data whose processing purposes are clearly incompatible. For processing different categories of personal data without the use of automation, a separate tangible media must be used for each category of personal data.
21. If the purposes of processing personal data are incompatible, the head of the structural unit must ensure separate processing of personal data.
22. Destruction or depersonalization of part of the personal data, if permitted by the tangible medium, must be carried out in a manner that excludes further processing of this personal data while maintaining the possibility of processing other data recorded on the tangible medium (deletion, erasure).
23. Clarification of personal data during their processing without the use of automation tools is carried out by updating or changing the data on a tangible medium.
CHAPTER 3
PROCEDURE FOR ENSURING SECURITY IN THE PROCESSING OF PERSONAL DATA USING AUTOMATION TOOLS

24. Processing of personal data using automation means performing actions (operations) with such data using computing equipment in the computer network of the Organization (hereinafter referred to as the KSO).
The security of personal data during its processing in the KSO is ensured by a personal data protection system, which includes organizational measures and information security tools, as well as information technologies used in the KSO.
Technical and software means of information protection must meet the requirements established in accordance with the legislation of the Republic of Belarus,
Information security measures used in CSR undergo a compliance assessment procedure in accordance with established procedures.
25. Access of persons to the processing of personal data using automation tools is carried out on the basis of an order of the Director of the Organization in the presence of access passwords.
Work with personal data contained in the KSO is carried out in accordance with the "User Action Regulations," which the employee whose job responsibilities include processing personal data is familiarized with and signed.
26. Work with personal data in the KSO must be organized in such a way as to ensure the safety of personal data carriers and information security tools, and to exclude the possibility of uncontrolled presence of unauthorized persons in these premises.
27. Computers and/or electronic folders containing files with personal data must be protected for each user with individual access passwords that comply with the requirements of the “Password Protection Regulations” of the State Unitary Enterprise of the Kolos Children’s Health Center.
28. The transfer of personal data without the use of special means of protection over public communication networks, including the Internet, is prohibited.
29. When processing personal data in the KSO, users must ensure:
use of sections (catalogues) of information carriers built into technical equipment or removable marked media intended for this purpose;
preventing physical impact on technical means of automated processing of personal data, which may result in disruption of their functioning;
constant use of antivirus software to detect infected files and immediate restoration of personal data modified or destroyed due to unauthorized access;
preventing unauthorized removal from premises, installation, connection of equipment, as well as removal, installation, or configuration of software.
30. When processing personal data in the KSO, developers and administrators of information systems must ensure:
training of persons using information security tools applied in the KSO in the rules for working with them;
registration of persons authorized to work with personal data in the KSO, access rights and passwords;
accounting of the information security tools used, operational and technical documentation for them;
monitoring compliance with the conditions for the use of information security tools provided for in the operational and technical documentation;
Description of the personal data protection system.
31. Specific requirements for the protection of personal data in individual automated systems of the Organization are determined by instructions for their use and operation approved in the established manner.

CHAPTER 4
PROCEDURE FOR ACCOUNTING, STORING AND HANDLING REMOVABLE MEDIA OF PERSONAL DATA, HARD COPIES AND THEIR DISPOSAL
32. All removable media (disks, floppy disks, USB flash drives, etc.) containing personal data stored and in circulation within the Organization are subject to accounting. Each removable media containing personal data must be labeled with its unique identification number.
33. Accounting and issuance of removable personal data storage media is carried out by accounting staff.
Employees of the Organization receive an accounted removable storage device from an authorized employee to perform work for a specific period.
Upon receipt, appropriate entries are made in the personal accounting journal of removable personal data storage devices (hereinafter referred to as the accounting journal), which is maintained in the accounting department.
Upon completion of the work, the user hands over the removable media to an authorized employee for storage, and a corresponding entry is made in the logbook.
34. When working with removable media containing personal data, it is prohibited to:
store removable media containing personal data together with media containing open information, on desktops, or leave them unattended or transfer them for storage to other persons;
remove removable media containing personal data from office premises to work with them at home, in hotels, etc.
35. When sending or transmitting personal data to recipients, only the data intended for the recipients is recorded on removable media. Sending personal data to recipients on removable media is carried out in the manner established for official documents. Removal of personal data from removable media for direct transmission to the recipient is permitted only with the written permission of the head of the Organization's structural unit.
36. Any loss of removable media containing personal data or disclosure of information contained therein must be immediately reported to the Director of the Organization.
A report is drawn up for lost media. Corresponding entries are made in the logbooks.

CHAPTER 5
FINAL PROVISIONS

37. All employees of the Organization's structural divisions and individuals performing work under agreements and contracts related to the processing of the personal data of the Organization's employees must be familiarized with these Regulations by signing the Personal Data Processing Access Log. The administrator of the databases and information systems in which personal data is processed is responsible for this instruction.