Policy on Personal Data Processing

1. Scope of Application

This Policy on the Processing and Security of Personal Data of the Unitary Service Enterprise "Manpower Bel" (hereinafter referred to as the Policy) is a document that defines the fundamental principles of the activities of the Unitary Service Enterprise "Manpower Bel" (hereinafter referred to as the Company, Operator) in the processing and protection of personal data.

The Policy is developed in accordance with the requirements of the legislation of the Republic of Belarus on personal data processing and protection.

The Policy outlines the legal grounds for personal data (PD) processing, the principles and purposes of such processing, the rules for data processing, information about the protective measures in place, and details of the rights of personal data subjects.

The provisions of this Policy are mandatory for all employees of the Unitary Service Enterprise "Manpower Bel" involved in the processing of personal data.

This Policy is subject to publication on the official website of the Unitary Service Enterprise "Manpower Bel."

2. Purposes and Principles of Personal Data Processing

2.1 Purposes of Personal Data Processing

The Company processes personal data for the following purposes:

• Conclusion, administration, amendment, and termination of employment contracts, which serve as the basis for the establishment or termination of employment relationships between employees and the employer.
• Assisting employees in training and career development.
• Facilitating access to social benefits and compensations.
• Providing information upon requests from government authorities.
• Fulfilling obligations under employment contracts.
• Conducting contract coordination processes and fulfilling contractual requirements with counterparties.
• Communicating with employees.
• Communicating with suppliers.
• Informing employees about corporate life at the Unitary Service Enterprise "Manpower Bel."
• Assisting employees in organizing internal communications.
• Providing access to IT infrastructure.
• Concluding, amending, and terminating voluntary medical and life insurance contracts.
• Conducting other activities within the framework of the legislation of the Republic of Belarus, ensuring compliance with the requirements for personal data protection.
• Reviewing resumes and selecting candidates for vacant positions for subsequent employment at the Unitary Service Enterprise "Manpower Bel" or client companies.
• Maintaining a candidate database.
• Fulfilling obligations under contracts with counterparties.
• Concluding, administering, amending, and terminating contracts.
• Complying with obligations prescribed by current legislation, local regulatory acts, and other regulatory legal acts (including those related to occupational health and safety).

2.2 Scope and Categories of Personal Data Subjects

The content and scope of the personal data processed correspond to the stated purposes of processing. Processing of excessive personal data unrelated to the stated purposes is not allowed.

In the Company’s personal data information systems, the following categories of personal data subjects are processed:

• Employees;
• Relatives of employees;
• Candidates for vacant positions;
• Former employees;
• Individual counterparties;
• Representatives of legal entity counterparties.

As part of personal data processing, the Company performs the following actions: collection, recording, systematization, accumulation, storage, clarification (updating, modification), use, transfer (distribution, provision, granting access to a limited circle of persons in accordance with current legislation), anonymization, blocking, deletion, and destruction of personal data.

2.3 Principles of Personal Data Processing

To ensure the effective operation of personal data processing procedures, the Company adheres to the following principles:

• Legality: Personal data processing is carried out on a lawful and fair basis.
• Purpose Limitation: Personal data processing is limited to achieving specific, predefined, and lawful purposes. Personal data must not be processed in ways that are incompatible with these purposes. The consolidation of databases containing personal data, processed for purposes that are incompatible, is not permitted. Only personal data relevant to the purposes of processing are subject to processing.
• Data Minimization: The content and scope of personal data processed correspond to the declared purposes of processing, and the data are adequate for these purposes.
• Data Accuracy: The Company takes adequate measures to promptly delete or correct personal data that are inaccurate with respect to the purposes of processing.
• Storage Limitation: Personal data are stored in a form that allows identification of the personal data subject no longer than required for the purposes of processing unless the data retention period is established by law, contract, or another agreement to which the personal data subject is a party, beneficiary, or guarantor. Processed personal data must be destroyed or anonymized upon achieving the purposes of processing or if the need to achieve those purposes is lost unless otherwise provided by law.
• Confidentiality, Integrity, and Availability: Personal data are processed in a manner that ensures a reasonable level of security. This involves the use of appropriate and adequate organizational and technical measures to protect data from unauthorized or unlawful processing and from accidental loss, destruction, or damage.

3. Procedure and Conditions for Processing Personal Data

3.1 Grounds for Processing Personal Data Subjects

Processing of personal data is carried out with the consent of the personal data subject, except in cases stipulated by the Personal Data Protection Law and other legislative acts.

If personal data is processed without the consent of the data subject, the purposes of such processing are determined by the Personal Data Protection Law and other legislative acts.

Consent of the personal data subject is not required in the following cases:

• For maintaining individual (personalized) accounting of information about insured persons for the purposes of state social insurance, including professional pension insurance;
• When formalizing employment (service) relations and in the course of the employment (service) activities of the personal data subject in cases stipulated by legislation;
• When personal data is obtained by the Operator based on a contract concluded (or being concluded) with the personal data subject for performing actions stipulated by the contract;
• When processing personal data specified in a document addressed to the Operator and signed by the personal data subject, in accordance with the content of such a document;
• For the purposes of lawful professional journalistic activities and/or activities of mass media organizations or publishing organizations aimed at protecting public interest, which includes society’s need to detect and disclose information about threats to national security, public order, public health, the environment, or information affecting the performance of official duties by public officials, prominent individuals, or public figures (except as stipulated by civil, economic, criminal, or administrative procedural legislation);
• In other cases specified in Article 6 of the Personal Data Protection Law.

The consent form for personal data processing is developed by the Unitary Enterprise for Service Provision "Manpower Bel" in accordance with the principle of providing the subject with the most complete and sufficient information in an accessible form regarding the processing of their personal data. The form includes the following information:

• Name (surname, first name, patronymic [if applicable]) and location (address of residence or stay) of the operator receiving the consent of the personal data subject;
• Purposes of processing personal data;
• List of personal data for which the subject’s consent is given;
• Period for which the subject's consent is granted;
• Information about authorized persons if the processing will be carried out by such persons;
• List of actions with personal data for which consent is given and a general description of the processing methods used by the operator;
• Other information necessary to ensure the transparency of the personal data processing procedure.

Individuals granted access to personal data must sign a confidentiality agreement regarding the information containing personal data.

3.2 Methods of Processing Personal Data

The Company processes personal data using automated and non-automated means in accordance with current legislation.

Personal data processing is carried out with respect for data confidentiality. Access to personal data is regulated by the Company’s internal documents and is granted only to employees whose job responsibilities require access to personal data.

The Company does not make decisions that result in legal consequences for personal data subjects or otherwise affect their rights and legitimate interests based on automated personal data processing.

3.3 Cross-Border Transfer of Personal Data

The cross-border transfer of personal data is prohibited if the foreign country does not provide an adequate level of protection for the rights of personal data subjects, except in the following cases:

• The personal data subject has given consent, provided they are informed about the risks arising from the lack of an adequate level of protection;
• Personal data is obtained based on a contract concluded (or being concluded) with the personal data subject to perform actions stipulated by the contract;
• Personal data can be obtained by any person by submitting a request in cases and procedures stipulated by legislation;
• The transfer is necessary to protect the life, health, or other vital interests of the personal data subject or other individuals if obtaining the subject's consent is impossible;
• Personal data processing is carried out as part of the fulfillment of international agreements of the Republic of Belarus;
• The transfer is conducted by a financial monitoring body to take measures against money laundering, financing terrorism, or financing the proliferation of weapons of mass destruction, in accordance with the law;
• Appropriate authorization has been obtained from the competent authority for the protection of personal data subjects' rights.

3.4 Conditions for Termination of Personal Data Processing

The Company terminates personal data processing in the following cases:

• Achievement of the purposes of personal data processing or the loss of necessity in achieving them;
• Withdrawal of the subject's consent to personal data processing (if the withdrawal entails the destruction of personal data);
• Receipt of a corresponding order from the authorized authority for the protection of personal data subjects' rights.

4. Organization of Personal Data Protection

The Company ensures comprehensive protection of personal data, based on:

• Current legislation on ensuring the security of personal data;
• The nature, context, and purposes of personal data processing;
• The processes and scale of personal data processing;
• The economic evaluation of the implementation of personal data protection tools and methods;
• Risk assessment of the likelihood and severity of possible consequences for personal data subjects (risks of accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to transmitted, stored, or otherwise processed personal data).

When processing personal data, the Company takes all necessary legal, organizational, and technical measures to protect personal data from unlawful or accidental access, destruction, alteration, blocking, copying, provision, dissemination, as well as other unlawful actions concerning personal data.

Ensuring personal data security is achieved, in particular, through the following measures:

• Ensuring confidentiality, integrity, availability, and resilience of personal data processing systems;
• Restoring personal data modified or destroyed as a result of unauthorized access;
• Establishing rules for accessing personal data processed in the personal data information system and ensuring the registration and accounting of all actions performed with personal data in the system;
• Identifying facts of unauthorized access to personal data and taking appropriate protective measures;
• Identifying threats to the security of personal data during their processing in information systems;
• Adopting local regulatory acts and other documents governing the processing and protection of personal data;
• Keeping records of data storage devices containing personal data;
• Evaluating the effectiveness of measures taken to ensure personal data security before commissioning the personal data information system;
• Appointing a person responsible for organizing the processing and ensuring the security of personal data;
• Conducting regular testing and evaluating the effectiveness of technical and organizational measures for ensuring personal data security;
• Performing internal control and/or audits to ensure compliance with the legislation of the Republic of Belarus and the European Union on personal data processing and protection;
• Familiarizing employees who directly process personal data with the provisions of the legislation of the Republic of Belarus on personal data, including requirements for personal data protection, policy documents on personal data processing, and local regulations on personal data processing.

5. Rights of the Personal Data Subject

The personal data subject confirms consent to data processing by performing a specific action that clearly indicates that the subject, in the given context, agrees to the intended processing of their personal data.

The personal data subject has the right to request that the Company clarify their personal data, block, or destroy it if the personal data is incomplete, outdated, inaccurate, unlawfully obtained, or not required for the stated purpose of processing. The subject may also take legally provided measures to protect their rights.

The right of the personal data subject to access their personal data may be restricted in accordance with the law, including cases where access to their data violates the rights and legitimate interests of third parties.

The personal data subject has the right to protect their rights and legitimate interests, including compensation for damages and/or moral harm through legal proceedings.

In accordance with the legislation of the Republic of Belarus, the personal data subject has the right to obtain information related to the processing of their personal data.

Information is provided to the personal data subject or their representative by authorized Company representatives upon receiving a written request from the personal data subject or their representative.

To exercise and protect their rights and legitimate interests, the personal data subject has the right to contact the Unitary Enterprise for Service Provision "Manpower Bel."

Final Provisions

This Policy is valid until it is canceled or suspended by the management of the Unitary Enterprise for Service Provision "Manpower Bel."

Individuals guilty of violating rules governing the processing and protection of personal data are subject to disciplinary, material, and administrative liability in accordance with current legislation and local regulatory acts.