This Personal Data Protection Policy (hereinafter the Policy) formulates the basic principles of processing the personal data of consumers, customers, suppliers, business partners, employees, and other persons, and also defines the main actions for the processing of personal data and measures for their protection for enterprises operating under the direction and control of Joint Venture «International Business Alliance», the list of which is defined in Annex 1 (hereinafter - Joint Venture «International Business Alliance» or organization).
The objectives of this Policy are to ensure the protection of human rights and freedoms in the processing of personal data, including the right to privacy, personal and family privacy, and unification of processing of personal data in the organization with the requirements of international law and the legislation of the countries where the organization operates.
In its daily business operations Joint Venture «International Business Alliance» uses various data on identifiable persons, including data on:
• Current, past, and prospective employees,
• Users of its websites,
• Other stakeholders.
In the collection and use of this data, the organization is subject to a number of legislative acts regulating the manner in which such activities are carried out and the security measures to be taken to protect the data.
Joint Venture «International Business Alliance» undertakes to comply with the laws and regulations concerning the protection of personal data in the countries where the organization operates.
The policy is reviewed annually and when there are significant changes in the organization or in relevant legislation.
The Policy is mandatory for all employees of the Joint Venture «International Business Alliance», both staff and non-staff, and all structural subdivisions of the organization, including separate subdivisions. The requirements of the Policy are also applied to other persons if their participation in the process of processing of personal data by the organization is necessary, as well as in cases of transmission of personal data to them in accordance with the established procedure on the basis of agreements and contracts.
The Policy applies to any personal data, regardless of the type of media on which it is stored.
The Policy is a public document of the Joint Venture «International Business Alliance» and provides an opportunity to acquaint with it any persons.
The Policy is developed on the basis of and in accordance with the requirements of:
• Law of the Republic of Belarus "On information, informatization, and protection of information" of 10 November 2008. №455-3 (as amended: Law of the Republic of Belarus of 04.01.2014 №102-3 "On amendments and additions to the Law of the Republic of Belarus "On information, informatization and protection of information");
• European Data Protection REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of data, and repealing Directive 95/46/EC (General Data Protection Regulation, GDPR);
• Federal Law of the Russian Federation from 27.07.2006 № 152-FZ "On Personal Data";
• STB ISO/IEC 27001 (Appendix A, sections A.8.2, A.15.1.1, A18.1.1, A.18.1.4).
If, as a result of changes in the legislation of the countries in which the company «International Business Alliance» is registered, any requirements of this Policy will conflict with the legislation of these countries, such requirements cease to be valid until the moment of introduction of changes and additions to the Policy the norms of the legislation of the countries in which Joint Venture «International Business Alliance» is registered are applied.
The following terms and definitions are used in this document:
Personal data - any information relating to an identified or identifiable individual ('data subject'); an identifiable individual is a person who can be identified directly or indirectly, In particular, on the basis of identification information such as name, identification number, location data, Internet identifier (online identifier), or through one or more physical, physiological, genetic indicators, the mental, economic, cultural or social identity of the individual;
Processing of personal data - any transaction or set of transactions that are carried out with personal data or a set of personal data, using or without automated means, including collection, recording, ordering, structuring, storage, processing or modification, retrieval, and sampling, examination, use, disclosure by transfer, distribution or other means of access, grouping or combination, restriction of processing, erasure or destruction;
The Controller is a natural or legal person, public body, agency, or other body which, independently or jointly with others, determines the purposes and means of processing personal data; Where the purposes and means of such processing are determined by the law of the country of the location of the data subject, the Controller, or specific criteria for its designation, may be subject to the law of the country of the location of the data subject;
Processor - a natural or legal person, public body, agency, or other body that processes personal data in the name and on behalf of the Сontroller;
Special categories of personal data - personal data showing racial or ethnic affiliation, political views, religious or philosophical beliefs, trade union membership, health, intimate life, sexual orientation, genetic data, or biometric data, when used to identify an individual.
The Organization undertakes to observe the following principles when processing personal data.
Personal data should:
(a) Be processed legally, fairly, and transparently with respect to the data subject («principle of legality, fairness, and transparency»);
(b) Be collected for specific, explicit, and lawful purposes and shall not be further processed in a manner incompatible with these purposes; further processing for archiving purposes in the public interest, for scientific or historical research, or statistical purposes shall not be considered incompatible with the original objectives («the principle of limitation of objectives»);
(c) Be relevant and limited to what is necessary with respect to the purposes for which they are being processed (the «minimization principle»);
(d) Be accurate and, if necessary, updated in a timely manner; all reasonable steps should be taken to ensure that inaccurate personal data, depending on the purpose of its processing, are removed or corrected without delay («accuracy principle»);
(e) Be kept in a form that allows the identification of data subjects no longer than is required by the purpose of the processing of personal data; personal data may be stored for longer periods, to the extent that personal data will be processed solely for archiving purposes in the public interest, for scientific or historical research or statistical purposes, subject to the application of appropriate technical and organizational measures to protect the rights and freedoms of the data subject («the principle of limitation of the storage term»);
(f) Be processed in a manner that ensures adequate security of personal data, including protection from unauthorized or illegal processing, as well as from accidental loss, destruction or damage, using appropriate technical or organizational measures (the principle of integrity and confidentiality»).
Joint Venture «International Business Alliance» undertakes to abide by the above principles not only in the processing of personal data at present but also in the implementation of new methods and systems of processing.
The Organization is ready to confirm to the oversight body, upon request, compliance with the above-mentioned principles of processing personal data, as far as its activities as a controller («accountability principle»).
Before starting the processing of personal data as a controller, Joint Venture «International Business Alliance» determines the legal basis for processing.
If an organization processes as a controller special categories of personal data, or data related to criminal convictions and offenses, the organization identifies as a legal basis for general processing and separate conditions for processing data of these types.
Joint Venture «International Business Alliance» preserves substantiated, documented evidence of the legality of the processing of personal data, in part of its activities as a controller, and provides them where necessary.
The organization processes personal data as a processor only on the basis of documented orders of the controller determined by the contract or by another legal act defining the subject and duration of the processing, the nature and purpose of processing, the type of personal data, and the category of data subjects, as well as the duties and rights of the controller. In this case, the controller determines the validity of the processing.
There are six applicable legal grounds for the general processing of personal data. There are ten separate conditions for processing special categories of personal data. Possible options are described in the following sections.
The organization will always have the explicit consent of the subject to collect and process its data, except where consent is not required by law.
In the case of processing the personal data of children under the age of 16 (a lower age may be allowed in some countries), the consent of the person with parental responsibility for the child must be obtained.
When requesting consent, Joint Venture «International Business Alliance» informs data subjects of the identity of the organization, the nature, and purpose of processing, the list of categories of personal data processed, and explains the rights of individuals regarding their personal data, including the right to withdraw consent. This information is provided in a clear and easily accessible form, using clear and simple language.
Joint Venture «International Business Alliance» requests separate consent for different purposes and types of processing and does not use pre-marked fields or any other default permission in requests.
If the collected and processed personal data are necessary for the performance of the contract with the data subject, explicit consent is not required. This paragraph applies when the contract cannot be completed without relevant personal data. For example delivery cannot be performed without the delivery address.
If personal data need to be collected and processed to comply with the law, explicit consent is not required. This may be the case, for example, with some data related to employment and taxation and in many areas covered by the public sector.
Where personal data are necessary to protect the vital interests of the data subject or other natural person, then this need can be used as a legal basis for processing. For example, this can be used in the area of social assistance, especially in the public sector.
Where an organization is required to perform a task that it considers to be in the public interest or to be carried out under official authority, the consent of the data subject may not be sought.
If the result of processing or specific personal data is in the legitimate interests of the organization and does not affect the rights and freedoms of the data subject in a significant way, this may be defined as a legitimate reason for processing the data.
The Joint Venture «International Business Alliance» performs an assessment of its legitimate interests (LIA) to ensure observance of the principle of proportionality.
An organization processes special categories of personal data as a controller only if it has defined one of the following conditions for processing:
(a) The data subject has given express consent to the processing of the specified personal data for one or more specified purposes unless the legislation of the country where the data subject is located does not provide for the right for the data subject to lift the prohibition on processing;
(b) processing is necessary to fulfill the obligations and exercise the specific rights of the controller or data subject in the field of employment and social security and social protection legislation, Provided that appropriate security measures are in place for the fundamental rights and interests of the data subject;
(c) processing is necessary to protect the vital interests of the data subject or other natural person if the data subject is physically or legally incapable of giving consent;
(d) processing is carried out for political, philosophical, religious, or trade union purposes by a foundation, association, or any other non-profit body within the framework of their lawful activities and with appropriate security measures, provided that the processing relates exclusively to members, former members of the body or persons who are in constant contact with it in connection with its purposes, and that personal data are not disclosed to third parties without the consent of the subject of personal data;
(e) Processing involves personal data that the data subject has explicitly made publicly available;
(f) Processing is necessary to bring, execute or protect legal actions or in cases where courts are acting within the limits of their judicial capacity;
(g) processing is necessary for reasons of substantial public interest, provided that suitable and specific measures are in place to protect the fundamental rights and interests of the data subject;
(h) treatment is necessary for preventive or professional medicine, for assessment of the worker’s working capacity, for diagnosis of a medical condition, for provision of medical or social assistance or treatment, or for the management of health and welfare systems and services;
(i) processing is necessary for reasons of public interest in the field of public health, for example, to protect against serious cross-border threats to health or to ensure high standards of quality and reliability of health care and medicines or medical equipment, Provided that appropriate and specific measures are taken to protect the rights and freedoms of the data subject, in particular, professional secrecy;
(j) Processing is necessary for archival purposes in the public interest, for scientific or historical research purposes, or for statistical purposes, provided that suitable and specific measures are taken to protect the fundamental rights and interests of the data subject.
Joint Venture «International Business Alliance» processes personal data related to criminal sentences and offenses only under the control of the official body, or when processing is allowed by the legislation of the country where the data subject is located when the conditions for providing appropriate security measures for the rights and freedoms of data subjects are fulfilled.
The data subject has the following rights:
1. Right to information.
Individuals have the right to information about the collection and use of their personal data.
2. Right of access to data.
Individuals have the right to access their personal data.
3. Right to correction of data.
Natural persons have the right to request correction of their personal data if they are inaccurate or if they are incomplete.
4. Right to delete data ("the right to be forgotten").
Individuals have the right to request the deletion of their personal data.
5. Right to restriction of processing.
Individuals have the right to demand that the processing of their personal data be restricted or prevented.
6. Right to transfer data.
Individuals have the right to obtain their personal data and reuse it for their own purposes in different services.
7. Right of objection.
Individuals have the right to object to the processing of their personal data.
8. Rights in relation to automated decision-making and profiling.
Individuals have the right not to be affected by decisions based solely on automated processing, including profiling, which have a legal or similar significant impact on them.
The organization supports each of these rights through appropriate procedures that allow for the necessary action to be taken within the timescale indicated in table 1.
|Data Subject Request||Timescale|
|The right to be informed||When data is collected (if supplied by data subject) or within one month (if not supplied by data subject)|
|The right of access||One month|
|The right of correction||One month|
|The right of erasure||Without undue delay|
|The right to restrict processing||Without undue delay|
|The right of data portability||One month|
|The right to object||On receipt of objection|
|Rights in relation to automated decision making and profiling.||Not specified|
Joint Venture «International Business Alliance» in its business activities takes or can take in some cases, if required, a number of organizational and technical measures to protect personal data from unauthorized or illegal processing, as well as from accidental loss, destruction, damage, or other improper actions with respect to personal data. These measures include:
• adopting and implementing regulatory documents for the processing and protection of personal data;
• taking a “data protection by design and default” approach - putting appropriate data protection measures in place throughout the entire lifecycle of the processing operations;
• putting in place written contracts with processors which process personal data on behalf of the organization;
• providing appropriate safeguards during the transfer of personal data to third countries;
• documenting its processing activities;
• implementing appropriate security measures;
• recording and, where necessary, reporting personal data breaches;
• carrying out data protection impact assessments for uses of personal data that are likely to result in a high risk to individuals’ interests;
• appointing a data protection officer (where necessary);
• adhering to relevant codes of conduct and compliance with certification schemes (where possible).
The organization adopts the principle of «data protection by design and default» and performs appropriate technical and organizational measures to implement the principles of data protection and protection of individual rights.
In essence, «design data protection» means that Joint Venture «International Business Alliance» has integrated data protection into its systems, services, products, and business practices, starting from the design stage and then on the whole life cycle. The Organization uses only those data processors that provide sufficient assurance of their technical and organizational measures to protect design data. The organization takes into account design data protection when purchasing products for use in its data processing processes.
In essence, «data protection by default» means that Joint Venture «International Business Alliance» as far as its activities as a controller are concerned:
• determines before processing begins the minimum set of personal data required to achieve the specific purposes of the processing;
• informs the data subjects accordingly;
• processes only the data required for processing purposes;
• does not process additional personal data unless the data subject permits it to do so;
• ensures that personal data are not made available to others automatically until the data subject has given permission to do so;
• provides automatic protection of personal data in any IT system, service, product, and/or business practice, so that individuals do not have to take any specific action to protect their privacy;
• offers strong privacy settings, user-friendly settings, and controls, as well as adherence to user preferences.
The Organization takes into account the use of techniques such as pseudonymization, where applicable and appropriate.
Joint Venture «International Business Alliance» ensures that all relationships related to the processing of personal data in which the organization is involved, are regulated by documented contracts, which include certain information and conditions required by law.
The organization’s contracts include the following mandatory information:
• the item and the duration of the processing;
• the nature and purpose of the treatment;
• types of personal data and categories of data subjects;
• the obligations and rights of the controller.
The organization’s contracts include the following mandatory terms:
• the processor must act only in accordance with the written instructions of the controller (except when it is required by law to act without such instructions);
• the processor must ensure that persons authorized to process personal data undertake to respect confidentiality or are subject to a corresponding statutory confidentiality obligation;
• the processor must take appropriate measures to ensure the safety of the processing;
• the processor may engage the co-processor only with the prior consent of the data controller and the signing of a written contract;
• the processor must assist the data controller in ensuring that data subjects have their rights in accordance with the legislation of the country where the subject is located;
• the processor must assist the data controller in fulfilling his obligations regarding the security of processing, notifications of violations of personal data, and impact assessments of data protection;
• the processor must delete or return all personal data to the controller in accordance with the request at the end of the contract;
• the processor should facilitate audits and inspections, provide the controller with any information necessary to confirm that the processor is in compliance with its obligations, and immediately inform the controller if the processor is asked to do anything that violates data protection legislation.
Joint Venture «International Business Alliance» as the controller appoints for processing only those processors who can provide «sufficient guarantees» that the requirements of the legislation of the countries where data subjects will be respected, and the rights of data subjects will be protected.
Joint Venture «International Business Alliance» transfers personal data to a third country or an international organization only if the requirements of the legislation of the countries where the data subjects are located are fully complied with, for example, if the transfer of personal data to that third country or international organization is authorized by the regulatory authority without further authorization by the supervisory authority, as there is a sufficient level of protection that meets the requirements of the law, or if the organization receiving the personal data has provided appropriate protective measures in accordance with the legal requirements.
Joint Venture «International Business Alliance» certifies before such transfer that upon its completion the level of protection of data subjects guaranteed by the legislation will not weaken, including in cases of subsequent transfer of personal data from a third country or international organization to controllers, processors in the same or another third country or international organization.
After such a transfer, the rights of individuals should remain valid and effective remedies for individuals should remain available.
Joint Venture «International Business Alliance» as part of its activities as a controller, supports the entries of the following categories in order to document its processing activities:
• data processing accounts;
• the legal basis for the processing,
• records of consent;
• Legitimate Interests Assessment reports,
• information provided to data subjects;
• controller-processor contracts;
• the location of personal data;
• Data Protection Impact Assessment reports;
• records of personal data breaches.
Joint Venture «International Business Alliance» in the part of its activity as a processor, supports the entries of the following categories in order to document its processing activities:
• records of processing activities;
• controller-processor contracts;
• the location of personal data;
• records of personal data breaches.
Joint Venture «International Business Alliance» in the part of its activity as a processor, supports the entries of the following categories in order to document its processing activities:
• data processing accounts;
• contracts of controller-processor;
• records of personal data placement;
• records of violations of personal data.
Joint Venture «International Business Alliance», which employs less than 250 people, does not keep data processing accounts, unless the ongoing processing may lead to possible risks for the rights and freedoms of data subjects, when such processing is regular, or when processing covers special categories of personal data or personal data relating to criminal records and offenses.
Records are kept in writing. Records are constantly updated and reflect current processing.
The organization makes records available to the supervisory authority upon request.
Joint Venture «International Business Alliance» has identified and regularly updates threats to the security of personal data, if necessary, performs risk analysis related to the processing of personal data, documents findings, and uses them to assess the appropriate level of security, which should be implemented.
Personal data security is defined as the risk of unauthorized, including accidental, processing of personal data, as well as accidental or intentional loss, destruction, or damage of personal data.
Joint Venture «International Business Alliance» allocated responsibility for information security to certain individuals and teams and provided them with appropriate resources and powers. Persons authorized by the organization to process personal data, before commencing work with personal data, undertake to observe confidentiality and other requirements of the Policy.
The company has information security rules and takes necessary steps for their implementation. Where required, Joint Venture «International Business Alliance» adopts additional regulatory documents and provides mechanisms for their implementation.
Joint Venture «International Business Alliance» regularly reviews its documents on information security and, if necessary, improves them. Joint Venture «International Business Alliance» conducts regular inspections and analysis of its information security measures to ensure that they remain effective and takes necessary actions on the results of these inspections, where areas for improvement have been identified.
Joint Venture «International Business Alliance» keeps records of assets involved in the process of processing of personal data (applications, systems, personnel, information carriers).
Joint Venture «International Business Alliance» uses encryption and/or pseudonymization where appropriate.
Joint Venture «International Business Alliance» is obliged to use means of cryptographic protection when transferring personal data through open channels of communication.
Joint Venture «International Business Alliance» have appropriate backup processes to enable them to restore integrity and access to personal data within a reasonable time.
Joint Venture «International Business Alliance» certifies that any data processor they use also implements appropriate technical and organizational measures.
Joint Venture «International Business Alliance» provide necessary physical security measures to protect premises, equipment, and information from unauthorized access.
Joint Venture «International Business Alliance» has defined measures to ensure business continuity, which protect and restore any personal data stored by the organization.
Joint Venture «International Business Alliance» conducts appropriate initial and second training on data protection of personnel involved in data processing, including the duties of personnel for the processing of personal data, Staff’s responsibility to protect personal data, rules and restrictions for staff to use systems and services (for example, to avoid virus or spam).
The organization has developed a response plan to address any personal data violations that may occur. Joint Venture «International Business Alliance» distributed the responsibility for the management of violations to certain individuals and teams. The employees of the organization know how to bring to the attention of the appropriate responsible person or team at Joint Venture «International Business Alliance» information about the information security incident to determine whether a violation has occurred.
Joint Venture «International Business Alliance» has adopted the procedure of notification of the supervisory body about the violation within 72 hours after it became known, even if all details are not yet available. The organization has adopted a procedure to inform affected individuals without undue delay of the violation when it may result in a high risk to their rights and freedoms. The organization’s data protection inspectors monitor the process of reporting violations to data subjects and oversight bodies.
Joint Venture «International Business Alliance» documents all violations, even if not all of them must be reported.
Joint Venture «International Business Alliance» acting as the controller performs DPIA when the processing of personal data can lead to high risk for individuals.
The organization considers the feasibility of DPIA in any major project using personal data performed as a controller. If Joint Venture «International Business Alliance» decides not to conduct DPIA, it documents the reasons for its decision.
• describe the nature, scope, context, and purpose of the treatment;
• assess the need for processing and the proportionality of the objectives;
• identify risks and assess their level for individuals;
• identify any measures to mitigate these risks and to demonstrate compliance with the legislation.
If the organization determines a high risk that it cannot mitigate when performing DPIA, it will consult with the oversight body before starting processing.
Joint Venture «International Business Alliance» is not obliged to appoint DPO, as it is not a government body, does not conduct large-scale monitoring, and does not process special categories of personal data on a large scale, but it decided to do so voluntarily. The organization understands that the same duties and responsibilities apply in this case as in the mandatory appointment of the DPO. Joint Venture «International Business Alliance» appoints DPO at the head office and, if necessary, at individual enterprises of the organization.
Joint Venture «International Business Alliance» has instructed its DPO to monitor compliance with the organization’s laws and regulatory documents on personal data protection, awareness raising, training of personnel, and audits related to the protection of personal data. Joint Venture «International Business Alliance» in a timely manner attracts its DPO on all issues related to the protection of personal data.
DPO organizations inform and advise the personnel of the organization performing the processing of personal data about their obligations under the data protection legislation.
DPO Head Office reports directly to the top management of the organization. The DPO of the rest of the organization works with the DPO of the head office and reports to the management of its enterprises and the top management of the organization. All DPO organizations have the necessary independence to perform their tasks.
DPO organizations, as contact persons, are easily accessible to our employees, individuals, and supervisory authorities. Joint Venture «International Business Alliance» has published the contact details of its DPO and has transferred them to the supervisory body.
Professional associations and representative bodies may draw up codes of conduct covering topics such as fair and transparent processing, legitimate interests pursued by supervisors, pseudonymization, the exercise of human rights, and others.
In addition, supervisory bodies or accredited certification bodies may issue certificates of compliance with legislative requirements of data processing processes.
Compliance with a code of conduct and certification is voluntary, but the organization sees them as a great way to monitor and demonstrate compliance with privacy requirements.