POLICY OF JSC Belagroprombank on the processing of personal data
POLICY OF JSC Belagroprombank on the processing of personal data
APPROVED
Order of the Chairman of the Board
JSC "Belagroprombank" 11/12/2021 No. 846
(as amended by the order of the Chairman of the Board
JSC "Belagroprombank" 12/26/2022 No. 1053)
POLICY OF JSC Belagroprombank on the processing of personal data
CHAPTER 1
GENERAL PROVISIONS
1. This Policy of JSC Belagroprombank on the processing of personal data (hereinafter referred to as the Policy) was developed in accordance with the requirements of the Law of the Republic of Belarus dated 05/07/2021 N 99-Z “On the Protection of Personal Data” (hereinafter referred to as the Law) and explains to subjects of personal data how and for what purposes their personal data is collected, used or otherwise processed at JSC Belagroprombank (hereinafter referred to as the bank), and also determines the procedure and mechanism for the exercise by subjects of personal data of their rights established by the Law.
2. This Policy uses terms and their definitions in the meanings defined in the Law.
3. The policy is publicly available and is posted on the bank’s official website on the global computer network Internet: https:// www. belapb.by.
4. The policy serves as the basis for organizing work on the processing of personal data in the bank and is mandatory for rewiew and execution by all bank employees and other persons directly processing personal data in the bank or on behalf of the bank or in its interests.
5. This Policy applies to all business processes of the bank related to the processing of personal data, with the exception of the processing of personal data in the course of employment and in the implementation of administrative procedures (in relation to employees and former employees of the bank), as well as users of the website in parts of cookies <1> and bank mobile applications used by personal data subjects.
--------------------------------
<1> Text file saved in the browser of the computer (mobile device) of the user of a website owned by the bank when the user visits it to reflect the actions he has performed. This file allows you to avoid having to re-enter or select the same parameters when you visit the site again.
6. Domain names <2> of the bank’s resources on the global computer network Internet, which are subject to the Policy: www.belapb.by, ibank. belapb.by, hr.belapb.by. The Bank may place other resources on the global computer network Internet, which should not contradict this Policy. Each of the bank's resources on the global Internet has its own rules regarding the use of cookies.
--------------------------------
<2> A domain name is a unique alphanumeric identifier of a specific node (device or network connection) that is part of the Internet; title, site name. Domain names are used to conveniently remember the addresses of nodes and network resources (sites, blogs, social networks, mail servers, etc.) that are located on them.
7. This Policy is assessed for relevance as necessary, but at least once a year, including in the event of changes in legislation on personal data.
8. Contacts for interaction of personal data subjects with the bank:
postal address: Zhukova Ave., 3, Minsk, 220036;
email address: info @belapb.by.
CHAPTER 2
PROCEDURE AND CONDITIONS FOR PERSONAL DATA PROCESSING
9. The Bank independently processes personal data to the extent necessary to fulfill the stated goals, mainly using automation tools, not excluding cases of processing without the use of automation tools.
10. The bank processes personal data, including collection, systematization, storage, modification, use, depersonalization, blocking, distribution, provision, deletion of personal data, in the manner and under the conditions determined by the Law, local legal acts of the bank, legal grounds for processing personal data .
The sources for obtaining personal data of personal data subjects are:
information contained in the documents provided by the personal data subject to carry out a banking operation (applications, questionnaires, contracts, etc.) by the bank;
requests sent by the personal data subject to the bank;
entries left by the personal data subject in the book of complaints and suggestions;
information resources of government bodies and other organizations (National Bank, Ministry of Internal Affairs, Ministry of Economy, Interbank Identification System, Open Joint Stock Company "Belarusian Interbank Settlement Center", Republican Unitary Enterprise "National Center for Electronic Services" and others);
information provided to the bank by government bodies, a legal entity, another organization, an individual, including an individual entrepreneur, for its processing by the bank on their behalf or in their interests (cases when the bank is an authorized person).
11. The Bank may entrust the processing of a limited amount of personal data, for example, for advertising and informational purposes on its own behalf or in its interests to an authorized person (organization selected on a competitive basis) on the basis of an agreement concluded with this third party.
12. The Bank does not transfer personal data to third parties, except for cases provided for by legislative acts, including for the purposes of the functioning of the Interbank Identification System, the automated information system of the National Bank "Credit Register".
13. In cases where the processing of personal data is carried out by the bank in the status of an authorized person, the actions performed with personal data are determined by the operator, including when the bank provides insurance services in the interests of the Belarusian Republican Unitary Insurance Enterprise "Belgosstrakh", the Republican Unitary Insurance Enterprise "Stravita ", when organizing an internship in a bank for students of educational institutions.
14. The bank, as a rule, is an independent operator of personal data processing when using the services of the Interbank Identification System, the automated information system of the National Bank "Credit Register", the National Center for Electronic Services, making payments on bank payment cards in the open joint-stock company "Bank Processing Center".
15. The conditions for terminating the processing of personal data and blocking access to them or deleting them are:
achieving the purposes of personal data processing;
expiration of the personal data subject’s consent to the processing of personal data;
withdrawal of the personal data subject’s consent to the processing of personal data;
termination of other legal grounds for the processing of personal data;
request of the personal data subject to stop processing and (or) delete personal data;
identification (verification) of the fact of unlawful processing of personal data;
requirement of the authorized body for the protection of the rights of personal data subjects, other authorized bodies (organizations, individuals).
16. The legal grounds for the bank’s processing of personal data are:
consent of the personal data subject;
other legal grounds provided for by the Law and other legislative acts.
17. The purposes, categories of subjects, list of personal data and periods of their storage are given in the Appendix to this Policy, which is an integral part of this Policy.
CHAPTER 3
CROSS-BORDER TRANSFER
18. The bank does not transfer personal data to the territory of foreign states (cross-border transfer of personal data) when implementing business processes related to transfers of funds to individuals.
19. The bank may transfer personal data when carrying out other banking operations or for the execution of an agreement, to which the personal data subject is a party, to the territory of a foreign state if this state ensures an adequate level of protection of the rights of the personal data subject, in compliance with the general provisions on processing personal data without obtaining any additional permissions.
20. The list of foreign states on whose territory an adequate level of protection of the rights of personal data subjects is ensured includes foreign states that are parties to the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, adopted in Strasbourg on January 28, 1981.
21. Cross-border transfer of personal data by a bank to the territory of foreign states that do not provide an adequate level of protection of the rights of the personal data subject may be carried out:
with the written consent of the personal data subject, provided that the personal data subject is informed of the risks arising from the lack of an adequate level of protection for cross-border transfer of personal data;
when personal data is obtained on the basis of an agreement concluded (to be concluded) with the personal data subject in order to perform actions established by this agreement;
in other cases provided for by the Law.
CHAPTER 4
RIGHTS OF PERSONAL DATA SUBJECTS
2 2. Personal data subjects of have the right:
22.1. to withdraw their consent if, in order to process personal data, the bank contacted the personal data subject to obtain it. The right to withdraw consent cannot be exercised in the case where the processing of the subject’s personal data is carried out on the basis of an agreement concluded (to be concluded) with the personal data subject (for example, a loan agreement, a bank deposit agreement, a current (settlement) account agreement, etc. .); a document addressed to the bank as an operator (appeal, etc.); in cases where the processing of personal data is necessary to fulfill the duties (powers) provided for by legislative acts;
22.2. to receive information regarding the processing of personal data by the bank, containing:
name and location of the bank;
confirmation of the fact of processing the personal data of the applicant by the bank (authorized person);
their personal data and the source of its receipt;
legal grounds and purposes of processing personal data;
the period for which his consent was given (if the processing of personal data is carried out on the basis of consent);
name and location of the authorized person (authorized persons);
other information required by law;
22.3. require the bank to make changes to personal data if the personal data is incomplete, outdated or inaccurate. For these purposes, the personal data subject attaches the relevant documents and (or) their duly certified copies confirming the need to make changes to the personal data;
22.4. receive information from the bank about providing their personal data processed by the bank to third parties. This information is provided once a year free of charge;
22.5. demand from the bank to stop processing their personal data free of charge, including their deletion, in the absence of grounds for processing personal data provided for by the Law and other legislative acts;
22.6. appeal actions (inaction) and decisions of the bank that violate its rights when processing personal data to the authorized body for the protection of the rights of personal data subjects in the manner established by the legislation on appeals of citizens and legal entities.
23. To exercise their rights related to the processing of personal data by the bank, provided for in subclauses 22.1 - 22.5 of this Policy, the personal data subject submits an application to the bank in writing or in the form of an electronic document issued in Portable format Document Format ( PDF/A1 or PDF/A2) <3>.
--------------------------------
<3> Standard ISO 19005-1:2005.
24. The application must contain:
surname, first name, patronymic (if any) of the personal data subject, address of his place of residence (place of stay);
date of birth of the personal data subject;
identification number of the personal data subject, in the absence of such a number - the number of the document identifying the personal data subject, in cases where this information was indicated by the personal data subject when giving his consent to the operator or the processing of personal data is carried out without the consent of the personal data subject;
statement of the essence of the requirements of the personal data subject;
personal signature or electronic digital signature of the personal data subject, generated using a personal key, the public key certificate of which is issued in the State Public Key Management System for verifying electronic digital signatures of the Republic of Belarus.
CHAPTER 5
MEASURES TO ENSURE THE PROTECTION OF PERSONAL DATA
25. The bank takes all mandatory measures to ensure the protection of personal data provided for by the Law and other legislative acts.
The bank has determined the composition and list of measures necessary and sufficient to fulfill its obligations to ensure the protection of personal data.
In particular, legal measures have been implemented:
the personal data protection department of the cybersecurity department is determined by the structural unit of the bank responsible for internal control over the processing of personal data;
the Policy of JSC Belagroprombank on the processing of personal data has been developed, approved and published on the global computer network Internet;
separate local legal acts of the bank establish the procedure for access to personal data, including those processed in information resources (systems), and classify them;
the procedure for the exercise of rights by personal data subjects has been established;
the procedure for internal control over the processing of personal data has been established;
the procedure and scope of informing personal data subjects have been determined, consent forms for the processing of personal data have been developed and approved;
the form, procedure for maintaining and using the register of information resources (systems) for the processing of personal data has been developed and approved.
Organizational measures are being implemented:
provides acquaintance of employees who directly process personal data with the provisions of the legislation on personal data, including the local legal acts of the bank for the protection of personal data, as well as this Policy;
the training is provided for persons directly involved in the processing of personal data and persons responsible for internal control over the processing of personal data;
the possibility of exercising the rights of personal data subjects on paper is ensured;
recording and storage of information on the provision of personal data subjects to third parties is carried out.
The bank takes measures for technical and cryptographic protection of personal data in the manner established by the Operational and Analytical Center under the President of the Republic of Belarus.
26. The bank has created an information protection system for all information systems that process personal data, certified for compliance with information protection requirements, which includes a set of organizational and technical measures aimed at ensuring the confidentiality, integrity and availability of information.
27. The bank notifies the authorized body for the protection of the rights of personal data subjects about violations of the bank’s personal data protection systems immediately, but no later than three working days after the bank became aware of such violations, except for cases provided for by the authorized body for the protection of the rights of personal data subjects.
28. The bank notifies of a recorded incident of violation of the bank’s personal data protection systems, which led to unauthorized processing by third parties of personal data subjects (leakage of personal data), by posting the relevant information on the bank’s official website on the global computer network Internet no later than five working days after the bank became aware of such a violation. In cases where a leak of personal data may lead to a high level of risk for the rights and freedoms of personal data subjects, the bank additionally informs the latter via viber, sms or e - mail channels .
CHAPTER 6
FINAL PROVISIONS
29. Issues related to the processing of personal data not covered by this Policy are regulated by the Law and other legislative acts.
30. If, after the publication of this Policy, an act of legislation establishing rules other than those that were in force acted upon the publication of this Policy is adopted, the provisions and requirements provided for by regulatory legal acts shall be applied.
Cybersecurity
Department
Application
to the Policy of JSC "Belagroprombank"
on processing
personal data
THE BANK PROCESSES PERSONAL DATA IN THE FOLLOWING CASES:
| Goals of personal data processing | Categories of personal data subjects whose personal data is processed | List of processed personal data | Legal grounds for processing personal data | Storage term of personal data |
| Sending notifications (messages, offers) of an advertising and informational nature to personal data subjects, including about promotional events carried out by the bank (bank partners) |
1. Bank clients
|
Last name, first name, patronymic or initials of the person, date of birth, contact phone number, e-mail address, other personal data allowing the relevant notification to be sent to the address | Processing of personal data based on the consent of the personal data subject ( clause 3 of Article 4 of the Law ) | No longer than required by the stated purposes of processing personal data, unless otherwise provided by law, but not less than 5 years after the expiration of the agreement (unless other periods are provided by law, taking into account the nature of the banking transaction) in case of obtaining consent in the presence of a concluded agreement |
| Participation of personal data subjects in advertising games, promotions and other promotional events conducted by the bank (including determining winners and presenting gifts and prizes) |
1. Bank clients |
Last name, first name, patronymic or initials of the person, date of birth, contact phone number, email address, other personal data necessary for processing in accordance with the rules for conducting advertising events |
Processing of personal data based on the consent of the personal data subject
|
No longer than required by the stated purposes of processing personal data, unless otherwise provided by law, but not less than 3 years from the date of the end of the advertising game |
| Analysis of consumer (client) preferences and client interest in the products (services) offered by the bank |
1. Bank clients |
Last name, first name, patronymic or initials of the person, date of birth, contact phone number, email address, other personal data specified during activities to analyze consumer (client) preferences and interest in the products (services) offered by the bank |
Processing of personal data based on the consent of the personal data subject
|
Within the storage periods for documents provided for by law, depending on the type of event |
| Participation of personal data subjects in bank loyalty programs, if participation in them is not an integral part of the banking product (service) provided on the basis of a concluded agreement |
1. Bank clients |
Last name, first name, patronymic or initials of the person, date of birth, contact phone number, email address, other personal data necessary for processing in accordance with the terms of the loyalty programs | Processing of personal data based on the consent of the personal data subject ( clause 3 of Article 4 of the Law ) | Within the document storage periods required by law, depending on the loyalty program |
| Assessment of the business reputation of the personal data subject | Persons who are potential participants in an assignment of the rights of a monetary claim | Last name, first name, patronymic (if available); Date of Birth; Place of Birth; location; passport series and number (other identification document), identification number (if available); data on bringing to administrative, criminal liability from information resources under the jurisdiction of the Ministry of Internal Affairs of the Republic of Belarus |
Processing of personal data based on the consent of the personal data subject
|
Within the storage periods for documents provided for by law |
| Assessment of the solvency of the personal data subject | Persons who are potential participants in an assignment of rights to monetary claim | Last name, first name, patronymic (if available); Date of Birth; identification number (if available), number of an identity document, details of a document confirming the authority of the legal representative; information on dates of hiring and dismissal, income (salary), pension, other income), documents confirming information about income contained in the state information system (resource) "Register of individual personal accounts of insured persons in the individual system ( personalized) accounting in the state social insurance system" |
Processing of personal data based on the consent of the personal data subject
|
Within the storage periods for documents provided for by law |
| Conclusion, execution, amendment and termination of contracts related to banking operations |
1. Persons authorized to sign the agreement |
Last name, first name, patronymic or initials of the person, position of the person who signed the agreement, other data in accordance with the terms of the agreement (if necessary) |
1. In the case of concluding an agreement with an individual - processing on the basis of an agreement with the personal data subject (paragraph fifteen of Article 6 of the Law) |
5 years after the expiration of the agreement (unless other periods are provided for by law, taking into account the nature of the banking operation). If the tax authorities did not check compliance with tax legislation - 10 years after the expiration of the agreement |
| Conclusion, execution, amendment and termination of civil contracts related to other activities carried out by the bank | Persons authorized to conclude an agreement | Last name, first name, patronymic or initials of the person, position of the person who signed the agreement, other data in accordance with the terms of the agreement (if necessary) |
1. In the case of concluding an agreement with an individual - processing on the basis of an agreement with the personal data subject (paragraph fifteen of Article 6 of the Law) |
3 years after the expiration of the agreement (unless other periods are provided for by law). If the tax authorities did not check compliance with tax legislation - 10 years after the expiration of the agreement |
| Accounting and tax records |
1. Bank employees, including family members and other relatives |
Last name, first name, patronymic or initials of persons , date of birth, contact telephone number, identification number, identification document details and other personal data necessary for accounting and tax records | The processing of personal data is necessary to fulfill the duties (powers) provided for by legislative acts (paragraph twentieth of Article 6 of the Law, Article 2 of the Law of the Republic of Belarus dated July 12, 2013 N 57-Z “On Accounting and Reporting”, subparagraph 1.2 of paragraph 1 of Article 2, paragraph 1 of article 22 of the Tax Code of the Republic of Belarus) | 3 years after tax authorities conduct an audit of compliance with tax legislation. If the tax authorities did not check compliance with tax legislation - 10 years |
| Consideration of appeals from citizens (including comments and suggestions included in the book) and legal entities |
1. Persons who sent the appeal |
Last name, first name, patronymic or initials, address of residence (place of stay), other personal data specified in the application | The processing of personal data is necessary to fulfill the duties (powers) provided for by legislative acts (paragraph twentieth of Article 6 and paragraph sixteen of paragraph 2 of Article 8 of the Law, paragraph 1 of Article 3 of the Law of the Republic of Belarus of July 18, 2011 N 300-Z "On Citizens' Appeals and legal entities") |
5 years from the date of last application; |
| Implementation of administrative procedures |
1. Persons applying for an administrative procedure |
Last name, first name, patronymic or initials, contact phone number, address of residence (place of stay), identification number, identity document details, other personal data that are indicated in the documents necessary to complete the administrative procedure | The processing of personal data is necessary to fulfill the duties (powers) provided for by legislative acts (paragraph twentieth of Article 6 and paragraph sixteen of paragraph 2 of Article 8 of the Law, Article 10 of the Law of the Republic of Belarus of October 28, 2008 N 433-Z “On the Fundamentals of Administrative Procedures”) | Within the storage periods for documents provided for by law, depending on the type of administrative procedure |
| The bank's appeal to the court, law enforcement and regulatory (supervisory) authorities, notaries, bodies for the enforcement of court decisions and other executive documents, to other authorized bodies for the protection and implementation of their rights and legitimate interests |
1. Bank clients |
Last name, first name, patronymic or initials, contact telephone number, address of residence (place of stay), identification number, identity document details, other personal data that are indicated in the documents necessary for the administration of justice, execution of court orders and other executive documents | The processing of personal data is necessary for the administration of justice, execution of court orders and other executive documents (paragraph three, paragraph twentieth of Article 6 of the Law, Article 49, paragraph 5 of Article 186 of the Civil Code of the Republic of Belarus) | 3 years after rendering solutions |
| Providing information by the bank at the request of authorized bodies due to the requirements of legislation in the field of national security, on the fight against corruption, on the prevention of money laundering, the financing of terrorist activities and the financing of the proliferation of weapons of mass destruction |
1. Bank clients |
Last name, first name, patronymic or initials, contact telephone number, address of residence (place of stay), identification number, identification document details, other personal data that must be provided upon request | The processing of personal data is necessary in the implementation of legislation in the field of national security, on the fight against corruption, on prevention the money laundering, the financing of terrorist activities and the financing of the proliferation of weapons of mass destruction (paragraph five, paragraph twentieth of Article 6 of the Law) | Within the storage periods for documents provided for by law, depending on the type of information provided upon request |
| Identification and maintenance of records of affiliates, bank insiders, as well as persons related to them | Persons who are affiliates, bank insiders, as well as persons related to them | Last name, first name, patronymic or initials, contact telephone number, address of residence (place of stay), identification number, identity document details, other personal data that are subject to processing in accordance with the Banking Code of the Republic of Belarus, the Law of the Republic of Belarus dated 09.12. 1992 N 2020- XII "On business companies" |
The processing of personal data is necessary to fulfill the duties (powers) provided for by legislative acts |
Depending on the type of document containing information about affiliates, bank insiders, as well as persons related to them, within the storage periods provided for by law |
| In cases when the processing of personal data is carried out by the bank on behalf of the operator or in its interests | Persons in respect of whom the operator decided to process personal data by the bank as an authorized person | Last name, first name, patronymic or initials, contact telephone number, address of residence (place of stay), identification number, identification document details, other personal data that are subject to processing by the bank on behalf of the operator or in his interests | If for the processing of personal data on behalf of the operator it is necessary to obtain the consent of the personal data subject, such consent is obtained by the operator (clause 2 of Article 7 of the Law) | Within the storage periods for documents provided for by law, depending on the type of document containing personal data |
| Formation and provision of management, statistical and other reporting to government bodies and other departments, in accordance with legal requirements |
1. Bank clients |
Personal data to be included in management, statistical and other reporting, and further transferred to government bodies and other departments, in accordance with legal requirements | The processing of personal data is necessary to fulfill the duties (powers) provided for by legislative acts (paragraph twentieth of Article 6, paragraph 16 of paragraph 2 of Article 8 of the Law) | Within the storage periods for documents provided for by law, depending on the type of document containing personal data |
|
Organization and provision of access control, security of premises and storage facilities, individual safes, safety of funds, valuables, equipment Storage and recording of documents in accordance with the legislation in the field of archiving and office work |
1. Bank employees 1. Bank clients
|
Last name, first name, patronymic or initials, identification document details, other personal data that are subject to processing when carrying out measures to ensure access control Personal data provided for by the form and content of documents subject to storage and recording in accordance with the legislation in the field of archiving and record keeping |
The processing of personal data is necessary to fulfill the duties (powers) provided for by legislative acts (paragraph twentieth of Article 6, paragraph 16 of paragraph 2 of Article 8 of the Law) The processing of personal data is necessary to fulfill the duties (powers) provided for by legislative acts (paragraph twentieth of Article 6, paragraph 16 of paragraph 2 of Article 8 of the Law, Article 4 of the Law of the Republic of Belarus dated November 25, 2011 N 323-Z "On archiving and office work") |
Within the storage periods for documents provided for by law, depending on the type of document containing personal data Within the storage periods for documents provided for by law, depending on the type of document containing personal data |
