Privacy Policy

CHAPTER 1

GENERAL PROVISIONS

1.1. The Personal Data Processing Policy of Belitsoft International JLLC (hereinafter - the Policy) defines the basic principles, objectives, conditions and methods of personal data processing, lists of subjects and personal data processed by Belitsoft International JLLC (hereinafter - the Operator), functions of the Operator in processing personal data, rights of personal data subjects, and requirements to personal data protection implemented by the Operator.

1.2. Provisions of the Policy shall serve as a basis for development of internal regulatory acts governing the Operator's personal data processing of the Operator's employees and other subjects of personal data.

1.3. The Policy applies to the relations in the field of personal data processing, which arose at the Operator both before and after the approval of the Policy.

CHAPTER 2

BASIC TERMS AND DEFINITIONS USED IN THE INTERNAL LEGAL ACTS OF THE OPERATOR, REGULATING THE PROCESSING OF PERSONAL DATA

2.1. Blocking of personal data - termination of access to personal data without removing it.

2.2. Depersonalization of personal data - actions that make it impossible, without the use of additional information, to determine whether the personal data belongs to a particular subject of personal data.

2.3. Processing of personal data - any action or set of actions performed with personal data, including collection, systematization, storage, modification, use, depersonalization, blocking, distribution, provision, removal of personal data.

2.4. Publicly available personal data - personal data, distributed by the subject of personal data or with his consent or distributed in accordance with the requirements of legislative acts.

2.5. Personal data - any information relating to an identified or identifiable natural person.

2.6. Provision of personal data - actions aimed at familiarization with personal data of a certain person or a circle of persons.

2.7. Personal Data Subject - a natural person in respect of whom personal data is processed.

2.8. Cross-border transfer of personal data - transfer of personal data to a foreign country.

2.9. Deletion of personal data - actions, as a result of which it becomes impossible to restore personal data in information resources (systems), containing personal data, and (or) as a result of which tangible carriers of personal data are destroyed.

2.10. Identifiable natural person - a natural person who can be directly or indirectly identified, in particular through his/her surname, given name, patronymic, date of birth, identification number or through one or more characteristics characteristic of his/her physical, psychological, mental, economic, cultural or social identity.

2.11. Information - information (messages, data) about persons, objects, facts, events, phenomena and processes regardless of their form of presentation.

2.12. Automated processing of personal data - processing of personal data using computer technology.

2.13. Services means any services, products, programs, events or services provided by Belitsoft International JLLC.

CHAPTER 3

PRINCIPLES AND OBJECTIVES OF PERSONAL DATA PROCESSING

3.1. As a personal data operator, Belitsoft International JLLC processes personal data of the Operator's employees and other subjects of personal data, who are not in employment relations with the Operator.

3.2. Processing of personal data by the Operator shall take into account the need to protect the rights and freedoms of the Operator's employees and other subjects of personal data, including protection of the right to privacy, personal and family secrets, based on the following principles:

• Personal data processing shall be carried out on a lawful and fair basis;
• Personal data processing shall be carried out in proportion to the stated purposes of its processing, and shall ensure at all stages of such processing a fair balance of interests of all persons concerned;
• Personal data processing shall be carried out with the consent of the subject of personal data, except as provided by legislative acts;
• Personal data processing shall be limited to achieving specific, pre-declared legitimate purposes. Personal data processing that is inconsistent with the original stated purposes of processing shall not be permitted;
• The content and scope of the processed personal data corresponds to the stated processing purposes. Processed personal data is not excessive in relation to the stated processing purposes;
• Personal data processing is transparent. The subject of personal data may be provided with relevant information concerning the processing of his/her personal data;
• The operator shall take measures to ensure the accuracy of the personal data processed by it, update them if necessary;
• Personal data shall be stored in a form that allows identification of the personal data subject for no longer than the stated purposes of personal data processing.

3.3. Personal data shall be processed for the purposes of:

• Processing and review of questionnaires (resumes) of candidates for employment with the Operator;
• Regulating labor relations with the Operator's employees (assistance in employment, training and promotion, ensuring personal safety, control over the quantity and quality of work, ensuring security of property);
• Keeping personnel records;
• Keeping accounting and tax records;
• Realization of communications with the subjects of personal data;
• Providing the Operator's Services to the subjects of personal data;
• Providing the subjects of personal data with information on the Operator's activities, Operator's services;
• Sending notifications to the subjects of personal data, conducting promotions, surveys, tests of the Operator, evaluation and analysis of various services of the Operator;
• Arranging health insurance for employees and their family members;
• Preparation, conclusion, execution and termination of contracts with contractors;
• Ensuring access control at the Operator's facilities;
• Generation of reference materials for internal information support of the Operator's operations.

CHAPTER 4

LIST OF SUBJECTS WHOSE PERSONAL DATA IS PROCESSED BY THE OPERATOR

The Operator processes personal data of the following categories of subjects:

• Shareholders and affiliates of the Operator;
• Candidates for employment with the Operator;
• Employees and former employees of the Operator and members of their families;
• The Operator's clients and counterparties (individuals);
• Applicants, students;
• Representatives (employees) of the Operator's counteragents (legal entities);
• Other subjects of personal data (to ensure the implementation of the processing purposes specified in Chapter 4 of the Policy).

CHAPTER 5

LIST OF PERSONAL DATA PROCESSED BY THE OPERATOR

5.1. The Operator shall process the following personal data:

• Surname, first name, patronymic;
• Ender;
• Nationality;
• Date and place of birth;
• Image (photograph);
• Passport data;
• Email address;
• Place of registration and place of residence;
• Marital status, presence of children, family ties, data on marriage registration;
• Information on education, qualification, professional training and advanced training;
• Information on labor activity, including encouragements, awards and (or) disciplinary sanctions;
• Contact information;
• Information on military registration;
• Information on disability;
• Information on maintenance deductions;
• Account number;
• Other personal data provided by the subjects of personal data depending on the purpose of personal data processing.

5.2. The operator processes biometric personal data only with the consent of the subject.

5.3. Processing of special personal data concerning racial or national identity, political views, religious or other beliefs, health or intimate life, administrative or criminal prosecution, as well as genetic personal data is not carried out by the Operator, except in cases where the subject of personal data independently provided such data to the Operator or they became known to him.

CHAPTER 6

TERMS OF PERSONAL DATA PROCESSING BY THE OPERATOR

6.1. Personal data processing by the Operator shall be carried out with the consent of the subject of personal data to processing of his/her personal data, unless otherwise provided by the legislation in the field of personal data.

6.2. The consent of the subject of personal data is a free, unambiguous, informed expression of their will, by which they authorize the processing of their personal data.

6.3. The operator without the consent of the subject of personal data shall not disclose to third parties and shall not distribute personal data, unless otherwise provided by the legislation.

6.4. Processing of personal data by the Operator includes any action or set of actions performed with personal data, including collection, systematization, storage, modification, use, depersonalization, blocking, distribution, provision, deletion of personal data.

6.5. The Operator shall process personal data in the following ways:

• With the use of automation means with or without transfer of received information via information and telecommunication networks;
• Without the use of automation means, if the search of personal data and (or) access to them by certain criteria (file cabinets, lists, databases, journals, etc.) is provided;
• Mixed processing of personal data.

6.6. The Operator is entitled to entrust the processing of personal data on behalf of the Operator or in its interests to an authorized person on the basis of a contract to be concluded with that person. The contract shall contain:

• The purposes of personal data processing;
• A list of actions to be performed with personal data by an authorized person;
• Obligations to comply with the confidentiality of personal data;
• Measures to ensure protection of personal data in accordance with the Law on personal data protection.

The authorized person is not required to obtain consent from the subject of personal data. If the processing of personal data on behalf of the Operator requires the consent of the personal data subject, such consent shall be obtained by the Operator.

6.7. Personal data shall be stored in a form enabling identification of the subject of personal data, for a period no longer than required by the purposes of personal data processing, except where the period of personal data storage is established by the legislation, the contract concluded (to be concluded) with the subject of personal data, for the purposes of actions established by such contract.

6.8. The condition for termination of personal data processing may be achievement of personal data processing objectives, expiration of the personal data processing period, withdrawal of personal data subject's consent to processing of his/her personal data, as well as detection of unlawful personal data processing.

CHAPTER 7

RIGHTS AND OBLIGATIONS OF SUBJECTS OF PERSONAL DATA

7.1. Subjects of personal data have the right to:

• Withdraw the consent of the subject of personal data;
• Obtain information concerning the processing of personal data;
• Amend their personal data in cases where personal data is incomplete, outdated or inaccurate;
• Demand the termination of processing of personal data, including its deletion, in the absence of grounds for its processing;
• Appeal the Operator's actions (inaction) and decisions, related to the processing of personal data, to the authorized body on protection of the rights of subjects of personal data, in the manner prescribed by the legislation.

7.2. The subject of personal data is obliged:

• To provide the Operator with exclusively reliable information about himself/herself;
• If necessary, to provide the Operator with the documents containing personal data in the volume required for the purpose of their processing;
• Timely inform the Operator of any changes in their personal data.

CHAPTER 8

MECHANISM FOR EXERCISING THE RIGHTS OF THE SUBJECT OF PERSONAL DATA

8.1. The subject of personal data shall be entitled to withdraw his/her consent to processing of personal data by submitting an application to the Operator in the form of an electronic document to the Operator's e-mail address: [email protected].

The application must contain:

• Surname, first name, patronymic;
• Address of his residence (place of stay);
• Date of birth;
• Identification number;
• A statement of the essence of the claim;
• Personal signature or electronic digital signature.

The operator within 15 days after receipt of the application shall stop processing of personal data (if there are no grounds for its processing under the law), shall remove it, if there is no technical possibility of removal - shall take measures to prevent further processing of personal data, including its blocking, and notify the subject of personal data in the same period.

8.2. The subject of personal data has the right to receive information from the Operator regarding the processing of his personal data by submitting an application to the Operator in the manner prescribed by paragraph 9.1 of this Policy. The Operator shall provide the subject of personal data with relevant information or notify him about the reasons for refusal to provide such information within 5 working days after receiving the application.

8.3. The subject of personal data has the right to request the Operator to make changes in his personal data in case they are incomplete, outdated or inaccurate, by submitting an application to the Operator in the manner provided in paragraph 9.1 of this Policy, accompanied by documents confirming the need to make such changes. The operator within 15 days after receipt of the application makes changes to the personal data of the subject of personal data and notifies him about it or notifies him about the reasons for refusal to make changes.

8.4. The subject of personal data is entitled to receive information from the Operator about the provision of his personal data to third parties once a calendar year free of charge, by submitting an application to the Operator in the manner prescribed by paragraph 9.1 of these Rules. The operator within 15 days after receipt of the application shall provide the subject of personal data with information about which personal data of this subject and to whom were provided during the year preceding the date of application submission, or notify him about the reasons for refusal to provide such information.

8.5. The subject of personal data is entitled to request the operator to terminate the processing of his personal data free of charge, including deletion, if there are no grounds for the processing of personal data, by submitting an application to the operator in the manner prescribed by paragraph 9.1 of this Policy. Within 15 days of receiving the personal data subject's application, the operator shall stop processing the personal data (if there are no grounds for processing under the law), perform their deletion, if there is no technical possibility of deletion - take measures to prevent further processing of personal data, including their blocking, and notify the subject of personal data in the same period.

CHAPTER 9

MEASURES TAKEN BY THE OPERATOR TO ENSURE THE FULFILLMENT OF ITS DUTIES IN THE PROCESSING OF PERSONAL DATA

The operator has taken the following measures, necessary and sufficient to ensure the fulfillment of the personal data operator's obligations:

• A person responsible for exercising internal control over the processing of personal data has been appointed;
• The list of employees, having access to personal data, in accordance with the categories of personal data and purposes of their processing, has been approved;
• Internal legal acts, determining the policy and issues of personal data processing and protection at the Operator has been approved;
• Subjects of personal data shall be provided with necessary information prior to obtaining their consent for processing of personal data;
• Subjects of personal data are explained their rights related to the processing of personal data;
• Personal data is stored in conditions that ensure its safety and exclude unlawful access to it;
• Publication of this Policy on the website or otherwise provide unrestricted access to this Policy.

CHAPTER 10

CROSS-BORDER TRANSFER OF PERSONAL DATA

10.1. Before cross-border transfer of personal data, the Company must ensure that the foreign country to whose territory the transfer of personal data is to take place provides reliable protection of the rights of personal data subjects.

10.2. Cross-border transfer of personal data to the territories of foreign states that do not meet the above requirement may be carried out only in cases stipulated by the Law.