Closed Joint Stock Company “Kinergo”

30.05.2022

Minsk

POLICY OF KINERGO CJSC

REGARDING THE PROCESSING OF PERSONAL DATA

CHAPTER 1

GENERAL PROVISIONS, LEGAL GROUNDS

1.1. The policy of Kinergo CJSC in the field of personal data processing (hereinafter referred to as the “Policy”) defines the basic principles, objectives, procedure and conditions for processing personal data in Kinergo CJSC (hereinafter referred to as the “Organization”), the rights of personal data subjects, as well as measures implemented in the Organization to protect personal data.

1.2. The Policy has been developed taking into account the requirements of the following regulatory legal acts:

– Constitution of the Republic of Belarus;

– Labor Code of the Republic of Belarus;

– The Law of the Republic of Belarus of 07.05.2021 N 99-Z “On the protection of personal data” (hereinafter – “Law No. 99-Z”);

– The Law of the Republic of Belarus of 21.07.2008 N 418-Z “On the Population Register” (hereinafter – “Law No. 455-Z”;

– The Law of the Republic of Belarus of 10.11.2008 N 455-Z “On information, informatization and information protection”;

– Decree of the President of the Republic of Belarus of 28.10.2021 N 422 “On measures to improve the protection of personal data”,

– other regulatory legal acts of the Republic of Belarus and regulatory documents of authorized state authorities.

1.3. The development of the Policy is provided for in Article 17 of Law No. 99-Z as a mandatory measure for legal entities processing personal data. The Organization provides unlimited access to the Policy, including using the global computer network Internet.

1.4. The terms and definitions used in the local legal acts of the Organization regulating the processing of personal data are used in the meanings established by the regulatory legal acts specified in clause 1.2. of the Policy. The definition of the term “personal data”, classification (types) of personal data are used in the meanings established by Article 1 of Law No. 99-Z and Articles 8, 10 of Law No. 455-Z.

CHAPTER 2

THE LIST OF SUBJECTS WHOSE PERSONAL DATA ARE PROCESSED IN THE ORGANIZATION

2.1. The Organization processes personal data of the following categories of subjects:

2.1.1. employees of the Organization;

2.1.2. individuals providing services (performing work) for the Organization under contracts for the provision of services (contract agreements);

2.1.3. applicants for vacancies of the Organization, including for the conclusion of contracts for the provision of services (contract agreements);

2.1.4. individuals purchasing the Organization’s products.

2.2. The list of personal data processed in the Organization is determined in accordance with the legislation of the Republic of Belarus and local legal acts of the Organization, taking into account the purposes of processing personal data specified in Chapter 3 of the Policy.

CHAPTER 3

PRINCIPLES AND PURPOSES OF PERSONAL DATA PROCESSING

3.1. The processing of personal data in the Organization is carried out taking into account the need to ensure the protection of the rights and freedoms of personal data subjects, including the protection of the right to privacy, personal and family secrets, based on the following principles:

– processing of personal data is carried out on a legal and fair basis;

– the processing of personal data is carried out in proportion to the stated purposes of their processing and ensures at all stages of such processing a fair balance of interests of all interested parties;

– processing of personal data is carried out with the consent of the subject of personal data, except in cases provided for by legislative acts;

– the processing of personal data is limited to the achievement of specific, pre-stated legitimate goals;

– the content and volume of the processed personal data correspond to the stated purposes of their processing;

– the processing of personal data is transparent;

– The organization takes measures to ensure the reliability of the personal data processed by it, updates them if necessary;

– the storage of personal data is carried out in a form that allows identifying the subject of personal data, no longer than the stated purposes of personal data processing require;

– The organization provides ways to store personal data that exclude the possibility of data leakage, obtaining unauthorized access to them.

3.2. Personal data is processed in the Organization for the following purposes:

3.2.1. with respect to the subjects of personal data specified in clause 2.1.1.-2.1.3. of the Policy: accounting of working hours, payroll, tax accounting, personnel records management, military accounting, reporting to state bodies, archival storage of data, performance of official duties or obligations under a civil contract, control of equipment security, for other legitimate purposes;

3.2.2. with respect to the subjects of personal data specified in clause 2.1.4. of the Policy: transactions, delivery of the ordered goods, maintenance of the customer database, for other legitimate purposes.

chapter 4

THE PROCEDURE AND CONDITIONS FOR PROCESSING PERSONAL DATA IN THE ORGANIZATION

4.1. The processing of personal data in the Organization is carried out with the consent of the personal data subject to the processing of his personal data, unless otherwise provided by the legislation of the Republic of Belarus in the field of personal data.

4.2. The Organization performs the following actions with personal data: collection, systematization, storage, modification, use, depersonalization, blocking, distribution (provision), deletion.

4.3. The Organization does not provide or distribute personal data to third parties without the consent of the personal data subject, unless otherwise provided by the legislation of the Republic of Belarus.

4.4. With the consent of the personal data subject, the Organization has the right to provide (distribute) personal data:

– telecom operators (for sending correspondence and (or) goods);

– organizations and individual entrepreneurs providing audit services to organizations;

– banks and organizations that provide acquiring services to organizations, other services related to the need to make payments;

– organizations that provide hosting services to Organizations, end-to-end analytics services and loyalty program services;

– organizations that provide hotel services, booking and (or) sale of transport tickets to organizations, visa centers and other organizations that provide visa support or travel services

– in other cases, if this is provided for by the consent of the subject of personal data.

4.5. The processing of personal data is carried out both in an automated and non-automated way.

4.6. The organization when processing personal data:

– takes measures necessary and sufficient to ensure compliance with the requirements of the legislation of the Republic of Belarus in the field of personal data;

– takes legal, organizational and technical measures to protect personal data from unauthorized or accidental access to them, as well as from other illegal actions in relation to personal data;

– appoints a person responsible for the implementation of internal control over the processing of personal data;

– appoints a person responsible for the technical and cryptographic protection of personal data processed in the Organization;

– approves the list of information resources (systems) containing personal data processed in the Organization; the list of officials who directly process personal data in the Organization; the list of officials who have access to personal data processed in the Organization; categories of personal data to be included; purposes of personal data processing; personal data retention period.

– obtains the consent of personal data subjects to the processing of their personal data, except in cases provided for by the legislation of the Republic of Belarus;

– explains to the subjects of personal data their rights related to the processing of personal data;

– familiarizes employees of the Organization directly engaged in the processing of personal data with the provisions of the legislation of the Republic of Belarus and local legal acts of the Organization in the field of personal data, including the requirements for the protection of personal data;

– performs other actions provided for by the legislation of the Republic of Belarus in the field of personal data.

chapter 5

RIGHTS OF PERSONAL DATA SUBJECTS

5.1. Personal data subjects have the right to:

– revocation of the consent of the personal data subject;

– obtaining information concerning the processing of personal data and changing personal data;

– the requirement to terminate the processing of personal data and (or) their deletion;

– appeal against actions (inaction) and decisions of the Organization related to the processing of personal data.

CHAPTER 6

FINAL PROVISIONS

6.1. The Policy is valid indefinitely until it is replaced by a new version. The Organization has the right to make changes to the Policy.

6.2. In case of changes in the legislation of the Republic of Belarus in the field of personal data, the Policy will be effective in the part that does not contradict the legislation of the Republic of Belarus.

Managing director  A.V. Shatkov