JSC "BEMZ" – Modern agricultural machinery

Approved by the order of the Director of JSC BEMZ
No. 77 dated 16.05.2024.

REGULATION
"On the processing and protection of personal data and on the procedure for ensuring confidentiality when processing personal data at JSC BEMZ"
GENERAL PROVISIONS
This Regulation "On the processing and protection of personal data and on the procedure for ensuring confidentiality when processing personal data at JSC BEMZ" (hereinafter referred to as the Regulation) defines the policy of JSC BEMZ (hereinafter referred to as the Company) regarding the processing of personal data, including the procedure for the Company to process personal data of persons who are not its employees, including the procedure for collecting, storing, using, transferring and protecting personal data.

The streamlining of the handling of personal data is aimed at ensuring the rights and freedoms of citizens when processing personal data, maintaining the confidentiality of personal data and protecting them.

The Regulation and amendments to it are approved by the order of the Director of the Company.

The Regulation is a local legal act of the Company, mandatory for compliance and execution by employees, as well as other persons involved in the processing of personal data in accordance with this Regulation.

The Regulation has been developed on the basis of and in pursuance of:

- The Constitution of the Republic of Belarus;

- The Labor Code of the Republic of Belarus;

- The Civil Code of the Republic of Belarus;

- The Tax Code of the Republic of Belarus;

- The Law of the Republic of Belarus dated 07.05.2021 N 99-Z "On the Protection of Personal Data" (hereinafter referred to as the Law "On the Protection of Personal Data");

- The Law of the Republic of Belarus dated 21.07.2008 N 418-Z "On the Population Register";

- The Law of the Republic of Belarus dated 10.11.2008 N 455-Z "On Information, Informatization and Information Protection";

- Other regulatory legal acts of the Republic of Belarus and regulatory documents of authorized state authorities.

MAIN CONCEPTS
The following main concepts and terms are used in these Regulations:

a) Company or Operator — Brest Electromechanical Plant Open Joint-Stock Company (BEMZ OJSC), located at: 224020, Brest, Moskovskaya Street, 202;

b) personal data — any information related to an identified individual or an individual who can be identified;

c) personal data subject — an individual to whom the personal data processed by the Company relates, including an individual who is not an employee of the Company to whom the personal data processed by the Company relates;

d) personal data processing — any action or set of actions performed with personal data, including collection, systematization, storage, modification, use, depersonalization, blocking, distribution, provision, deletion of personal data;

d) personal data processing using automation tools — personal data processing using computer technology, but such processing cannot be recognized as carried out exclusively using automation tools solely on the basis that the personal data are contained in a personal data information system or were extracted from it;

e) personal data processing without the use of automation tools — actions with personal data, such as use, clarification, distribution, destruction, carried out with the direct participation of a person, if this ensures the search for personal data and (or) access to them according to certain criteria (card indexes, lists, databases, journals, etc.);

g) dissemination of personal data — actions aimed at familiarizing an indefinite number of persons with personal data;

h) provision of personal data — actions aimed at familiarizing a specific person or group of persons with personal data;

i) blocking of personal data — termination of access to personal data without deleting them;

k) deletion of personal data — actions as a result of which it becomes impossible to restore personal data in information resources (systems) containing personal data, and (or) as a result of which tangible carriers of personal data are destroyed;

l) depersonalization of personal data — actions as a result of which it becomes impossible to determine the ownership of personal data by a specific subject of personal data without the use of additional information;

m) cross-border transfer of personal data — transfer of personal data to the territory of a foreign state;

n) an individual who can be identified — an individual who can be directly or indirectly identified, in particular, by his/her last name, first name, patronymic, date of birth, identification number or by one or more features characteristic of his/her physical, psychological, mental, economic, cultural or social identity.

CATEGORIES OF PERSONAL DATA SUBJECTS
The Company processes personal data of the following categories of subjects:

- personal data of affiliated persons of the Company;

- personal data of employees, as well as former employees of the Company;

- personal data of job candidates;

- personal data of employees and other representatives of counterparties - legal entities, transferred by such counterparties;

- personal data of counterparties - individuals;

- personal data of visitors.

CONTENT AND SCOPE OF PERSONAL DATA
The content and scope of personal data of each category of subjects is determined by the need to achieve specific purposes of their processing, as well as the need for the Company to exercise its rights and obligations, as well as the rights and obligations of the relevant subject.

1. Personal data of employees, former employees of the Company include:

- last name, first name, patronymic name of the employee (as well as all previous last names);

- date of birth;

- citizenship;

- passport details or details of another identity document (series, number, date of issue, name of the authority that issued the document, etc.);

- information on marital status and family composition, indicating the last names, first names and patronymics of family members, date of birth, place of work and/or study;

- information on registration at the place of residence (including address, date of registration);

- information on the place of actual residence;

- number and series of the state social insurance certificate;

- card account details;

- medical information in cases stipulated by law;

- biometric personal data (including photographs, images from CCTV cameras);

- information on social benefits and payments;

- specialty, profession, qualification;

- information on military registration;

- contact information (including work, home and/or mobile phone numbers, e-mail, etc.);

2. Personal data of job candidates include:

- last name, first name, patronymic (as well as all previous last names);

- date and place of birth;

- citizenship;

- passport details or details of another identity document (series, number, date of issue, name of the issuing authority, etc.);

- birth certificate details (number, date of issue, name of the issuing authority, etc.);

- gender;

- information on marital status and family composition, indicating the last names, first names and patronymics of family members, date of birth, place of work and (or) study;

- information on registration at the place of residence (including address, date of registration);

- information on the place of actual residence;

- number and series of the state social insurance certificate;

- information on education, advanced training and professional retraining, academic degree, academic title;

- taxpayer identification number;

- information on work experience (including length of service and work experience, employment details indicating the position, department, details of the employer, etc.);

- specialty, profession, qualification;

- military registration information;

- medical information (in cases stipulated by law);

- biometric personal data (including photographs, images from CCTV cameras);

- information about social benefits and payments;

- contact information (including home and/or mobile phone numbers, e-mail, etc.);

- information about awards and incentives;

- information provided by the candidate during the completion of personality questionnaires and psychometric testing events, as well as the results of such testing (psychometric profile, abilities and characteristics);

other data that may be indicated in the candidate's resume or application form.

3. Personal data of employees and other representatives of counterparties - legal entities include:

- last name, first name, patronymic;

- passport data or data of another identity document (series, number, date of issue, name of the issuing authority, etc.);

- information on registration at the place of residence (including address, date of registration);

- contact details (including work, home and (or) mobile phone numbers, e-mail, etc.);

- job title;

- other data necessary for the performance of mutual rights and obligations between the Company and the counterparty.

4. Personal data of counterparties - individuals include:

- last name, first name, patronymic;

- citizenship;

- passport details or details of another identity document (series, number, date of issue, name of the issuing authority, etc.);

- information on registration at the place of residence (including address, date of registration);

- bank account details;

- specialty, profession, qualification;

- contact details (including home and (or) mobile phone numbers, e-mail, etc.);

- other data necessary for the performance of mutual rights and obligations between the Company and the counterparty.

5. Personal data of visitors include:

- last name, first name, patronymic;

- passport data or data of another identity document (series, number, date of issue, name of the authority that issued the document, etc.);

- information about registration at the place of residence (including address, date of registration);

PURPOSES OF PERSONAL DATA PROCESSING
6. Personal data of personal data subjects are processed for the following purposes:

- performance of functions, powers and duties imposed on the Company by the legislation of the Republic of Belarus and international treaties of the Republic of Belarus;

- provision of benefits and compensations to relatives of employees;

- identification of conflicts of interest;

- consideration of the possibility of employing candidates;

- maintaining a personnel reserve;

- verification of candidates (including their qualifications and work experience);

- organization and support of business trips;

- holding events and ensuring participation of personal data subjects in them;

- ensuring security, preservation of material assets and prevention of offenses;

- issuing powers of attorney and other authorizing documents;

- conducting negotiations, concluding and executing contracts;

- counterparty verification;

- advertising and promotion of products, including provision of information about the Company's products;

- processing requests;

- fulfilling the duties of a tax agent;

- other purposes aimed at ensuring compliance with employment agreements (contracts), laws and other regulatory legal acts.

Personal data are processed solely to achieve one or more legitimate purposes defined by this regulation.

If personal data have been collected and processed to achieve a specific purpose, in order to use these data for other purposes, it is necessary to notify the subject of personal data about this and, if necessary, obtain new consent for processing.

7. Personal data may be processed for other purposes if this is necessary in connection with ensuring compliance with the law.

RULES FOR PROCESSING PERSONAL DATA
8. General rules.

8.1. Personal data are processed by mixed (both with and without the use of automation) processing, including using the internal network and the Internet.

8.2. In cases established by the legislation of the Republic of Belarus, the main condition for processing personal data is obtaining the consent of the relevant personal data subject, including in writing.

8.3. The written consent of the personal data subject to the processing of his personal data must include:

- last name, first name, patronymic (if any);

- date of birth;

- identification number, and in the absence of such number - the number of the document certifying his identity;

- signature of the personal data subject.

If the purposes of processing personal data do not require information processing, this information is not processed by the operator upon receipt of the consent of the personal data subject.

8.4. The consent of the personal data subject to the processing of his/her personal data, with the exception of special personal data, is not required in the following cases:

- for the purposes of administrative and (or) criminal proceedings, implementation of operational-search activities;

- for the administration of justice, execution of court decisions and other executive documents;

- for the purposes of exercising control (supervision) in accordance with legislative acts;

- in the implementation of the norms of legislation in the field of national security, on the fight against corruption, on the prevention of legalization of proceeds from crime, financing of terrorist activities and financing the proliferation of weapons of mass destruction;

- in the implementation of the norms of legislation on elections, referendums, on the recall of a deputy of the House of Representatives, a member of the Council of the Republic of the National Assembly of the Republic of Belarus, a deputy of the local Council of Deputies;

- for maintaining individual (personalized) records of information on insured persons for the purposes of state social insurance, including professional pension insurance;

- when formalizing labor (service) relations, as well as in the course of labor (service) activity of the personal data subject in cases stipulated by law;

- for the performance of notarial activities;

- when considering issues related to the citizenship of the Republic of Belarus, granting refugee status, additional protection, asylum and temporary protection in the Republic of Belarus;

- for the purposes of assigning and paying pensions, benefits;

- for organizing and conducting state statistical observations, generating official statistical information;

- for scientific or other research purposes, subject to mandatory depersonalization of personal data;

- when receiving personal data by the operator on the basis of an agreement concluded (being concluded) with the personal data subject, for the purpose of performing the actions established by this agreement;

- when processing personal data, when they are specified in a document addressed to the operator and signed by the personal data subject, in accordance with the content of such document;

- for the implementation of the lawful professional activities of a journalist and (or) the activities of a mass media outlet, a Company carrying out publishing activities aimed at protecting the public interest, which is the need of society to detect and disclose information about threats to national security, public order, public health and the environment, information affecting the performance of their duties by government officials holding a responsible position, public figures, with the exception of cases provided for by civil procedural, economic procedural, criminal procedural legislation, legislation determining the procedure for administrative proceedings;

- to protect the life, health or other vital interests of the subject of personal data or other persons, if obtaining the consent of the subject of personal data is impossible;

- with respect to previously disseminated personal data until the subject of personal data makes a request to stop processing the disseminated personal data, as well as to delete them in the absence of other grounds for processing personal data provided for by the Law "On the Protection of Personal Data" and other legislative acts;

- in cases where the processing of personal data is necessary for the performance of duties (powers) stipulated by legislative acts;

- in cases where the Law "On the Protection of Personal Data" and other legislative acts expressly provide for the processing of personal data without the consent of the subject of personal data.

8.5. Processing of special personal data without the consent of the personal data subject is prohibited, except for the following cases:

- if special personal data are made publicly available personal data by the personal data subject him/herself;

- when formalizing labor (service) relations, as well as in the course of labor (service) activity of the personal data subject in cases stipulated by law;

- when public associations, political parties, trade unions, religious organizations process personal data of their founders (members) to achieve statutory goals, provided that these data are not subject to distribution without the consent of the personal data subject;

- for the purposes of organizing the provision of medical care, provided that such personal data are processed by a medical, pharmaceutical or other healthcare worker who is responsible for ensuring the protection of personal data and is subject to the obligation to maintain medical confidentiality in accordance with the law;

- for the administration of justice, the execution of court orders and other executive documents, the execution of an executive inscription, the registration of inheritance rights;

- for the purposes of conducting administrative and (or) criminal proceedings, implementing operational-search activities;

- in cases stipulated by the criminal-executive legislation, legislation in the field of national security, on defense, on the fight against corruption, on the fight against terrorism and countering extremism, on the prevention of legalization of proceeds from crime, financing of terrorist activities and financing the proliferation of weapons of mass destruction, on the State Border of the Republic of Belarus, on citizenship, on the procedure for leaving the Republic of Belarus and entering the Republic of Belarus, on refugee status, additional protection, asylum and temporary protection in the Republic of Belarus;

- in order to ensure the functioning of the unified state system of registration and recording of offenses;

- for the purpose of maintaining forensic records;

- for the organization and conduct of state statistical observations, the formation of official statistical information;

- for the implementation of administrative procedures;

- in connection with the implementation of international treaties of the Republic of Belarus on readmission;

- when documenting the population;

- to protect the life, health or other vital interests of the personal data subject or other persons, if it is impossible to obtain the consent of the personal data subject;

- in cases where the processing of special personal data is necessary for the performance of duties (powers) stipulated by legislative acts;

- in cases where the Law "On the Protection of Personal Data" and other legislative acts expressly provide for the processing of special personal data without the consent of the personal data subject.

The processing of special personal data is permitted only if a set of measures is taken to prevent risks that may arise during the processing of such personal data for the rights and freedoms of personal data subjects.

8.6. Collection of personal data.

8.6.1. The source of information about all personal data is directly the personal data subject.

8.6.2. Unless otherwise provided by the Law "On the Protection of Personal Data", the Company has the right to receive personal data of the personal data subject from third parties only upon notification of this to the subject or in the presence of the written consent of the subject to receive his personal data from third parties.

8.6.3. Notification of the personal data subject about receipt of his personal data from third parties must contain:

- name of the Operator and its location address;

- purpose of processing personal data and its legal basis;

- intended users of personal data;

- rights of the personal data subject established by law;

- source of obtaining personal data.

8.7. Storage of personal data.

8.7.1. When storing personal data, the conditions that ensure the safety of personal data must be observed.

8.7.2. Documents that include personal data contained on paper media are kept in specially designated places with limited access under conditions that ensure their protection from unauthorized access. The list of document storage locations and the storage procedure are determined by the person responsible for implementing internal control over data processing. If necessary, the said person initiates the establishment of the storage procedure in a separate local legal act, by amending the regulations on the department (service), job description, etc. If the legislation defines the procedure for storing personal data, the provisions of the legislation shall apply.

8.7.3. Personal data stored in electronic form are protected from unauthorized access using special technical and software protection tools. Storage of personal data in electronic form outside the information systems used by the Company and databases specially designated by the Company (non-systemic storage of personal data) is not permitted.

8.7.4. Personal data must be stored in a form that allows identification of the subject of personal data, but no longer than required for the purposes of their processing, unless another period is established by the legislation of the Republic of Belarus or an agreement to which the subject of personal data is a party, beneficiary or guarantor.

8.7.5. Unless otherwise provided by law, processed personal data are subject to destruction or depersonalization upon achievement of the processing purposes, in the event of loss of the need to achieve these purposes or upon expiration of their storage periods.

8.7.6. Destruction or depersonalization of personal data must be carried out in a manner that excludes further processing of these personal data. At the same time, if necessary, the possibility of processing other data recorded on the relevant tangible medium (deletion, erasure) must be preserved.

8.7.7. If it is necessary to destroy or block part of the personal data, the tangible medium shall be destroyed or blocked with preliminary copying of the information not subject to destruction or blocking, in a manner that excludes the simultaneous copying of the personal data subject to destruction or blocking.

8.7.8. If it is necessary to destroy or block part of the personal data, the tangible medium shall be destroyed or blocked with preliminary copying of the information not subject to destruction or blocking, in a manner that excludes the simultaneous copying of the personal data subject to destruction or blocking.

8.8. Use.

8.8.1. Personal data shall be processed and used for the purposes specified in the Regulation.

8.8.2. Access to personal data shall be granted only to those employees of the Company whose job responsibilities involve working with personal data, and only for the period necessary to work with the relevant data. The list of such persons shall be determined by the Company.

8.8.3. If it is necessary to provide access to personal data to employees who are not included in the list of persons with access to personal data, they may be granted temporary access to a limited range of personal data by order of the director. The relevant employees must be familiarized with all local legal acts of the Company in the field of personal data and must also sign an obligation to non-disclosure of personal data.

8.8.4. Employees processing personal data without the use of automation tools are informed (including by familiarization with this Regulation) about the fact that they are processing personal data, the categories of personal data processed, as well as the features and rules for carrying out such processing established by law and this Regulation.

8.8.5. Employees of the Company who do not have properly issued clearance are prohibited from accessing personal data.

8.8.6. If it is necessary to use or distribute certain personal data separately from other personal data located on the same tangible medium, the personal data subject to distribution or use are copied in a manner that excludes the simultaneous copying of personal data that are not subject to distribution or use, and a copy of the personal data is used (distributed).

8.8.7. Personal data shall be updated during their processing without the use of automation tools by updating or changing the data on a tangible medium, and if this is not permitted by the technical features of the tangible medium, by recording on the same tangible medium information about the changes made to them, or by producing a new tangible medium with updated personal data.

8.9. Transfer.

8.9.1. The transfer of personal data of subjects to third parties is permitted in the minimum necessary volumes and only for the purpose of performing tasks corresponding to the objective reason for collecting this data.

8.9.2. The transfer of personal data to third parties, including for commercial purposes, is permitted only with the consent of the subject or other legal basis.

8.9.3. When transferring personal data to third parties, the subject must be notified of such transfer, except for cases specified by law, in particular, if:

- the subject of personal data is notified of the processing of his personal data by the operator who received the relevant data from the Company;

- personal data have been made publicly available by the personal data subject or obtained from a publicly available source;

- personal data are processed for statistical or other research purposes, for the professional activities of a journalist or scientific, literary or other creative activities, if this does not violate the rights and legitimate interests of the personal data subject.

8.9.4. Information containing personal data must be transferred in a manner that ensures protection from unauthorized access, destruction, modification, blocking, copying, distribution, as well as other illegal actions with respect to such information.

8.9.5. Cross-border transfer of personal data is prohibited if the territory of a foreign state does not ensure an adequate level of protection of the rights of personal data subjects, except in cases where:

- consent has been given by the personal data subject, provided that the personal data subject has been informed of the risks arising from the lack of an adequate level of protection;

- personal data have been obtained on the basis of an agreement concluded (being concluded) with the personal data subject for the purpose of performing the actions established by this agreement;

- personal data may be obtained by any person by sending a request in the cases and in the manner prescribed by law;

- such transfer is necessary to protect the life, health or other vital interests of the personal data subject or other persons if obtaining the consent of the personal data subject is impossible;

- personal data are processed within the framework of the implementation of international treaties of the Republic of Belarus;

- such transfer is carried out by the financial monitoring body for the purpose of taking measures to prevent the legalization of proceeds from crime, the financing of terrorist activities and the financing of the proliferation of weapons of mass destruction in accordance with the law;

- the relevant permission has been obtained from the authorized body for the protection of the rights of personal data subjects.

8.9.6. Persons receiving personal data must be warned that this data may only be used for the purposes for which it was communicated and in compliance with the confidentiality regime. The Company has the right to demand confirmation from these persons that this rule has been observed.

8.9.7. In cases where government agencies have the right to request personal data, or personal data must be provided by law, as well as in accordance with a court request, the relevant information may be provided to them in the manner prescribed by the legislation of the Republic of Belarus.

8.9.8. All incoming requests must be transferred to the person responsible for organizing the processing of personal data in the Company for preliminary consideration and approval.

8.10 Assignment of processing.

8.10.1. The Company has the right to assign the processing of personal data to an authorized person.

8.10.2. The agreement between the operator and the authorized person, the legislative act or the decision of the state body must define:

- the purposes of personal data processing;

- the list of actions that will be performed with personal data by the authorized person;

- obligations to maintain the confidentiality of personal data;

- measures to ensure the protection of personal data in accordance with Article 17 of the Law "On the Protection of Personal Data".

8.10.3. The authorized person is not required to obtain the consent of the personal data subject. If the processing of personal data on behalf of the operator requires the consent of the personal data subject, such consent shall be obtained by the operator.

8.10.4. If the operator entrusts the processing of personal data to an authorized person, the operator shall be liable to the personal data subject for the actions of the said person. The authorized person shall be liable to the operator.

8.11. Protection.

8.11.1. The protection of personal data is understood as a number of legal, organizational and technical measures aimed at:

- ensuring the protection of information from unauthorized access, destruction, modification, blocking, copying, provision, distribution, as well as from other illegal actions in relation to such information;

- maintaining the confidentiality of restricted information;

- exercising the right to access information.

8.11.2. To protect personal data, the Company shall take the necessary measures provided by law (including, but not limited to):

- restrict and regulate the composition of employees whose functional duties require access to information containing personal data (including through the use of passwords for access to electronic information resources);

- ensure conditions for storing documents containing personal data in a restricted access location;

- organize the procedure for destroying information containing personal data, unless the legislation establishes requirements for storing the relevant data;

- monitor compliance with the requirements for ensuring the security of personal data, including those established by this Regulation (by conducting internal audits, establishing special monitoring tools, etc.);

- conduct an investigation of cases of unauthorized access or disclosure of personal data, bringing the guilty employees to justice, and taking other measures;

- implement software and hardware means for protecting information in electronic form;

- ensure the ability to restore personal data modified or destroyed due to unauthorized access to them.

8.11.3. In order to protect personal data when processing them in information systems, the Company carries out the necessary measures provided by law (including, but not limited to):

- identifying threats to the security of personal data when processing them;

- applying organizational and technical measures to ensure the security of personal data when processing them in personal data information systems, necessary to meet the requirements for the protection of personal data;

- accounting of machine-readable media of personal data;

- detecting facts of unauthorized access to personal data and taking measures;

- restoring personal data modified or destroyed due to unauthorized access to them;

- establishing rules for access to personal data processed in the personal data information system, as well as ensuring the registration and accounting of all actions performed with personal data in the personal data information system.

8.12. The Company has appointed persons responsible for the processing of personal data.

8.13. The Company takes other measures aimed at ensuring the fulfillment of obligations in the field of personal data stipulated by the legislation of the Republic of Belarus.

9. The requirement to ensure confidentiality when processing personal data means a mandatory requirement for the Company's officials authorized to process personal data and other persons who have access to personal data not to allow their dissemination without the consent of the personal data subject or the presence of another legal basis.

10. Ensuring the confidentiality of personal data is not required in the event of:

- depersonalization of personal data (actions that make it impossible to determine the ownership of personal data by a specific personal data subject without the use of additional information);

- for publicly available personal data (personal data disseminated by the personal data subject himself or with his consent or disseminated in accordance with the requirements of legislative acts).

Processing and storing confidential data by unauthorized persons is prohibited.

11. In order to ensure compliance with the requirements of confidentiality and security when processing personal data, the Company provides officials working with personal data with the necessary conditions for fulfilling the specified requirements:

- familiarizes the employee with the requirements of this regulation, the job description and other local legal acts of the Company in the sphere of ensuring the confidentiality and security of personal data by signature;

- provides storage facilities for documents, means for accessing information resources (keys, passwords, etc.);

- teaches the rules for operating information security tools;

- conducts training;

- carries out other necessary activities.

12. Officials of the Company working with personal data are prohibited from communicating them orally or in writing to anyone, unless this is caused by official necessity.

Without the consent of the person appointed responsible for the implementation of internal control over the processing of personal data, the formation and storage of databases (card indexes, file archives, etc.) containing confidential data is prohibited.

13. The Company's officials working with personal data are obliged to use information about personal data solely for purposes related to the performance of their job duties.

14. Upon termination of a job function related to the processing of personal data, all information carriers containing personal data (originals and copies of documents, machine and paper media, etc.) that were at the disposal of the official in connection with the performance of official duties, the employee must transfer to his/her manager (or the person responsible for the implementation of internal control over the processing of personal data).

The transfer of personal data is carried out by the Company's official responsible for the processing of personal data on the basis of a written or oral instruction from the head of the structural unit.

15. The transfer of information and documents containing personal data is formalized by drawing up an act in the established form.

16. The official who provided personal data to third parties sends a written notice to the subject of personal data about the fact of the transfer of his/her data to third parties.

17. It is prohibited to transfer personal data by telephone, fax, e-mail, except for cases established by law.

Responses to inquiries from citizens and organizations are given to the extent that allows for personal data not to be disclosed in the responses, with the exception of data contained in the applicant's materials or published in publicly available sources.

18. Officials of the Company working with personal data are required to immediately notify their immediate supervisor and (or) the person responsible for the implementation of internal control over the processing of personal data at BEMZ OJSC of all facts that have become known to them of third parties obtaining unauthorized access or attempting to gain access to personal data, of the loss or shortage of information carriers containing personal data, certificates, passes, keys to safes (storage facilities), personal seals, electronic keys and other facts that may lead to unauthorized access to personal data, as well as the reasons and conditions for a possible leak of this information.

19. The processing of personal data, including personal data contained in an information system or extracted from such a system, is considered to be carried out without the use of automation tools (non-automated) if such processing is carried out with the direct participation of a person.

20. The head of the structural unit that processes personal data without the use of automation:

- determines the storage locations of personal data (physical media);

- monitors the availability in the structural unit of conditions that ensure the safety of personal data and exclude unauthorized access to them;

- informs persons processing personal data without the use of automation about the list of personal data being processed, as well as about the features and rules for carrying out such processing;

- organizes separate, i.e. non-mixing, storage of physical media of personal data (documents, disks, floppy disks, USB flash drives, etc.), which are processed for different purposes.

21. When recording personal data on physical media, it is not allowed to record on one physical media personal data, the purposes of processing of which are obviously incompatible. For processing different categories of personal data, carried out without the use of automation, a separate physical media must be used for each category of personal data.

22. If the purposes of personal data processing are incompatible, the head of the structural unit must ensure separate processing of personal data.

23. Destruction or depersonalization of part of the personal data, if permitted by the tangible medium, must be performed in a manner that excludes further processing of this personal data while maintaining the possibility of processing other data recorded on the tangible medium (deletion, erasure).

24. Clarification of personal data during their processing without the use of automation tools is performed by updating or changing the data on the tangible medium.

25. Processing of personal data using automation tools means performing actions (operations) with such data using computing facilities in the Company's computer network (hereinafter referred to as the KSO).

- The security of personal data during their processing in the KSO is ensured by means of a personal data protection system, including organizational measures and means of information protection, as well as information technologies used in the KSO.

The technical and software means of information protection must meet the requirements established in accordance with the legislation of the Republic of Belarus, ensuring the protection of information. Information security tools used in the KSO undergo a compliance assessment procedure in accordance with the established procedure.

26. Persons are allowed to process personal data using automation tools on the basis of an order from the director, provided they have access passwords.

27. Work with personal data in the KSO must be organized in such a way as to ensure the safety of personal data carriers and information security tools, and to exclude the possibility of uncontrolled presence of unauthorized persons in these premises.

28. Sending personal data without using special security tools over publicly accessible communication networks, including the Internet, is prohibited.

29. When processing personal data in the KSO, users must ensure:

- use of sections (catalogues) of information carriers built into technical tools or removable marked media intended for this purpose;

- prevention of physical impact on technical tools for automated processing of personal data, which may result in disruption of their functioning;

- constant use of antivirus software to detect infected files and immediate restoration of personal data modified or destroyed due to unauthorized access to them;

- prevention of unauthorized removal from premises, installation, connection of equipment, as well as deletion, installation or configuration of software.

30. When processing personal data in the KSO, developers and administrators of information systems must ensure:

- training of persons using information security tools applied in the KSO in the rules for working with them;

- accounting of persons authorized to work with personal data in the KSO, access rights and passwords;

- accounting of the applied information security tools, operational and technical documentation for them;

- control over compliance with the terms of use of information security tools stipulated by the operational and technical documentation;

- description of the personal data protection system.

31. Specific requirements for the protection of personal data in individual automated systems of the Company are determined by instructions for their use and operation approved in the established manner.

Head of the OO: Sibil V.A.
Leading legal adviser: Asipenko S.V.
Deputy director for ideological work, personnel and security: Izotov A.I.

pdf

Политика конфиденциальности

Agricultural machinery

Metering devices

Leasing, insurance and credit

Used and refurbished equipment

Safety tests for low-voltage equipment

Electromagnetic compatibility tests of technical means

About the company

Anti-corruption

Privacy Policy

MAIN CONCEPTS
The following main concepts and terms are used in these Regulations:

CATEGORIES OF PERSONAL DATA SUBJECTS
The Company processes personal data of the following categories of subjects:

MAIN CONCEPTS The following main concepts and terms are used in these Regulations:

CATEGORIES OF PERSONAL DATA SUBJECTS The Company processes personal data of the following categories of subjects:

Send a request

MAIN CONCEPTS
The following main concepts and terms are used in these Regulations:

CATEGORIES OF PERSONAL DATA SUBJECTS
The Company processes personal data of the following categories of subjects: