Personal data processing policy

PERSONAL DATA PROCESSING POLICY

of the health care institution “the 10^th City Clinical Hospital”

Chapter 1

GENERAL PROVISIONS

1.1. The personal data processing policy of the health care institution the “10^th City Clinical Hospital” (hereinafter referred to as the Policy) shall set the basic principles, goals, conditions and methods of personal data processing, lists of personal data subjects and personal data processed at the health care institution, functions of the health care institution in the processing of personal data, the rights of the personal data subjects and the requirements to the protection of personal data at the health care institution.

1.2. The Policy has been developed in accordance with the Constitution of the Republic of Belarus, laws and other regulations of the Republic of Belarus regarding personal data.

1.3. The provisions of the Policy shall be used to develop by-laws for processing of personal data of the employees and patients of the health care institution “the 10^th City Clinical Hospital” (hereinafter referred to as the Health care institution, the Hospital) and any other personal data subjects.

Chapter 2

LAWS AND OTHER LEGAL ACTS AND REGULATIONS OF THE REPUBLIC OF BELARUS GOVERNING THE PERSONAL DATA PROCESSING POLICY OF THE HEALTH CARE INSTITUTION

2.1. The personal data processing policy of the health care institution shall be governed by the following regulations:

Constitution of the Republic of Belarus;
Labour Code of the Republic of Belarus;
Law No.99-З of the Republic of Belarus as of May 7, 2021 “On Personal Data Protection”;
Law No.2435-XII of the Republic of Belarus as of June 18, 1993 “On Health Care”;
Law No. 455-З of the Republic of Belarus as of November 10, 2008 “On Information, Informatization and Information Protection”
Order No.536 of the Ministry of Health of the Republic of Belarus as of May 25, 2018 “On Some issues regarding the development of integrated electronic medical records in the Republic of Belarus”;
Resolution No.64 of the Ministry of Health of the Republic of Belarus as of May 28, 2021 “On Approving the Guidelines for the depersonalization of personal data of the persons who receive health care”;
Resolution No.74 of the Ministry of Health of the Republic of Belarus as of June 7, 2021 “On Forms and procedures for the provision and withdrawal of a patient’s consent for the entry and processing of their personal data” (including the Guidelines for the forms and procedures for the provision and withdrawal of consent for the entry and processing of personal data, private health information, refusal of data entry and processing and the procedure for informing of the right to refuse to have private health information entered into the centralized health care information system);
other legal acts and regulations of the Republic of Belarus and the regulations of the government authorities.
2. To implement the provisions of the Policy the health care institution develops relevant by-laws and other documents, including:
Regulation on personal data processing and protection at the health care institution “the 10^th City Clinical Hospital” (Annex 1 hereto);
Regulation on the procedure for the maintenance of personal data confidential during its processing at the health care institution “the 10^th City Clinical Hospital” (Annex 2 hereto);
any other by-laws and documents governing the issues of personal data processing at the health care institution.

Chapter 3

KEY TERMS AND DEFINITIONS USED IN THE BY-LAWS OF THE HEALTH CARE INSTITUTION GOVERNING PERSONAL DATA PROCESSING

3.1. Operator means the health care institution “the 10^th City Clinical Hospital” located at 220096, Minsk, ul. Uborevicha, 73.

3.2. Personal data means any information relating to an identified or identifiable natural person or legal entity.

3.3. Biometric personal data means the information that describes a natural person’s physiological and biological characteristics and is used to identify the natural person (fingerprint, palm print, iris scan, facial characteristics, facial recognition, etc.).

3.4. Genetic personal data means the information relating to the inherited or acquired genetic characteristics of a natural person which contains unique data about a natural person’s physiology or health and may be obtained, particularly, as a result of examination of a natural person’s biological sample.

3.5. Special personal data means the personal data relating to a natural person’s race and nationality, political views, trade union membership, religious and any other views, health, sexual life, administrative or criminal prosecution, biometric and genetic personal data.

3.6. Information means any data (communications, data) regardless of their presentation.

3.7. Identifiable natural person means a natural person who can be directly or indirectly identified by the last name, first name, patronymic, date of birth, identification number, or by one or several characteristics of a natural person’s physical, psychological, mental, economic, cultural or social identity.

3.8. Personal data subject or subject means a natural person whose personal data is processed.

3.9. Personal data processing means any action or series of actions with personal data, including collection, systematization, storage, modification, use, depersonalization, blocking, distribution, provision and deletion of personal data.

3.10. Automated personal data processing means personal data processing with the help of computers.

3.11. Non-automated personal data processing means use, clarification, distribution, deletion of personal data performed with a direct involvement of a human provided that the search and/or access to personal data is ensured according to certain criteria (card catalogues, lists, databases, record books, etc.)

3.12. Distribution of personal data means any actions aimed at disclosing personal data to general public.

3.13. Provision of personal data means any actions aimed at disclosing personal data to a certain person or persons.

3.14. Blocking of personal data means a termination of access to personal data without deleting it.

3.15. Deletion of personal data means any actions which make it impossible to restore personal data in the personal data information recourses (systems) and/or result in the destruction of physical storage media.

3.16. Depersonalization of personal data means actions which make it impossible to establish a connection between personal data and a specific personal data subject without using additional information.

3.17. Cross-boarder transfer of personal data means any transfer of personal data to the territory of a foreign state.

Chapter 4

PRINCIPLES AND PURPOSES OF PERSONAL DATA PROCESSING

4.1. The health care institution as the Personal data operator shall process the personal data of the employees and patients of the health care institution and personal data of other personal data subjects not employed by the health care institution.

4.2. The personal data shall be processed by the health care institution considering the protection of the rights and freedoms of its employees, patients and other personal data subjects, including the protection of the right to privacy, personal and family secrets on the basis of the following principles

personal data shall be processed on a legal and equitable basis;
personal data shall be processed in accordance with the stated goals considering the interests of all persons concerned;
personal data shall be processed with the consent of a personal data subject unless otherwise provided for by the legal acts;
personal data processing shall be limited to the specific stated goals. Personal data processing not complying with the stated goals shall not be allowed;
the content and amount of personal data to be processed shall comply with the stated goals of processing. Personal data to be processed shall not be redundant with regard to the stated goals of processing;
personal data processing shall be transparent. Any personal data subject may be provided with information relating to its personal data processing;
the Operator shall take reasonable measures to ensure accuracy of personal data to be processed and to update personal data if necessary;
personal data shall be stored in the form enabling to identify a personal data subject as long as required by the stated goals of personal data processing.

4.3. The health care institution shall process personal data with a view to:

complying with the Constitution of the Republic of Belarus, legal acts and regulations of the Republic of Belarus, by-laws of the health care institution;
exercising the rights and legitimate interests of the health care institution when carrying out the activities set forth by the Articles of Association and other by-laws of the health care institution or when achieving worthwhile goals;
exercising the functions, powers and obligations imposed on the health care institution by the laws of the Republic of Belarus including those regarding the provision of personal data to the government authorities, to the Social protection fund of the Ministry of Labour and Social Protection of the Republic of Belarus, and to other government authorities;
regulating labour relations between the health care institution and its employees;
protecting personal data subjects’ health and other interests;
drafting, making, executing and terminating contracts with counterparties;
developing reference materials for internal information support at the health care institution;
executing court rulings, acts of other authorities or officials subject to execution in accordance with enforcement laws of the Republic of Belarus;
for other legitimate purposes.

Chapter 5

FUNCTIONS OF THE HEALTH CARE INSTITUTION WHEN PROCESSING PERSONAL DATA

5.1. When processing personal data the health care institution shall

5.1.1. take reasonable and sufficient measures to ensure compliance with the laws of the Republic of Belarus and the by-laws of the health care institution relating to personal data processing;

5.1.2. take legal, organizational and technical measures to protect personal data from unauthorized or random access, from destruction, modification, blocking, copying, provision, distribution and from any other wrongful acts;

5.1.3. appoint a subdivision or a person responsible for the internal control of personal data processing;

5.1.4. issue by-laws determining personal data processing and protection policy and issues at the health care institution;

5.1.5. inform the employees of the health care institution who are directly involved in personal processing with the laws of the Republic of Belarus and by-laws of the health care institution on personal data, including the requirements to personal data protection , and provides training for such employees;

5.1.6. ensure unrestricted access to this Policy;

5.1.7. duly inform personal data subjects or their representatives on availability of personal data relating to such subjects, provide access to this personal data upon application and/or request from the above-mentioned personal data subjects or their representatives unless otherwise provided for by the laws of the Republic of Belarus;

5.1.8. terminate personal data processing and destroy personal data where provided for by the laws of the Republic of Belarus on personal data;

5.1.9. perform any other activities provided for by the laws of the Republic of Belarus on personal data.

Chapter 6

CATEGORIES OF PERSONAL DATA SUBJECTS

6.1. The health care institution shall process personal data of the following subjects:

6.1.1. employees’ relatives;

6.1.2. job candidates;

6.1.3. employees;

6.1.4. employees and other representatives of counterparties – legal entities;

6.1.5. counterparties – natural persons;

6.1.6. patients;

6.1.7. persons specified in Part 2 of Article 18 of Law No.2435-XII of the Republic of Belarus as of June 18, 1993 “On Health Care”;

6.1.8. other subjects whose personal data is to be processed due to cooperation with the Operator.

Chapter 7

CONTENT AND AMOUNT OF PERSONAL DATA

7.1. The content and amount of personal data shall be determined separately for each category considering the goals of personal data processing, the execution by the health care institution of its rights and obligations and the rights and obligations of relevant subjects.

7.2. An employee’s relative personal data shall include

last name, first name, patronymic;

date of birth;

citizenship;

passport details or details of any other identity documents (series, number, date of issue, name of the issuing authority, etc.);

marital status and family composition, specifying the last names, first names, patronymics of family members, dates of birth, places of work and/or study;

household registration (including address, date of registration);

actual residence;

number and series of a state social insurance policy;

medical details (where provided for by the laws);

details of social benefits and payments;

contact information (including, business phone number, home and/or mobile phone number, email, etc.).

7.3. A job candidate’s personal data shall include

last name (all previous last names), first name, patronymic

date and place of birth;

citizenship;

passport details or details of any other identity documents (series, number, date of issue, name of the issuing authority, etc.);

details of the certificate of birth (number, date of issue, name of the issuing authority, etc.);

gender;

marital status and family composition, specifying the last names, first names, patronymics of family members, dates of birth, places of work and/or study;

household registration (including address, date of registration);

actual residence;

number and series of a state social insurance policy;

information on education, advanced training, occupational training, academic degree, academic rank;

employment details (including length of service, experience, employment data specifying a job title, division, employer details, etc.);

specialty, occupation, qualification;

military service details;

medical details (where provided for by the laws);

biometric personal data (including photos, images from surveillance footage, voiceprint);

information on social benefits and payments;

contact information (including, business phone number, home and/or mobile phone number, email, etc.);

information on rewards and encouragements;

information provided by a job candidate when filling out personality questionnaires and taking psychometric tests and the results of such tests (psychometric profile, skills and characteristics);

any other information specified in a candidate’s CV or application form.

7.4. An employee’s personal data shall include

last name (all previous last names), first name, patronymic;

date of birth;

citizenship;

passport details or details of any other identity documents (series, number, date of issue, name of the issuing authority, etc.);

details of visa and other migration documents;

gender;

household registration (including address, date of registration);

place of stay;

biometric personal data (including photos, images from surveillance footage, voiceprint);

information on social benefits and payments;

contact information (including, business phone number, home and/or mobile phone number, email, etc.);

information on parents, foster parents, custodians, marital status, a spouse, a child (children);

information on higher education, academic degree, academic rank;

information on occupation, military service, disability;

any other information required to perform mutual rights and obligations.

7.5. Personal data of employees and other representatives of counterparties ‑ legal entities shall include

last name, first name, patronymic;

passport details or details of any other identity documents (series, number, date of issue, name of the issuing authority, etc.);

household registration (including address, date of registration);

contact information (including, business phone number, home and/or mobile phone number, email, etc.);

job title;

any other information required to perform mutual rights and obligations by the health care institution and a counterparty.

7.6. Personal data of counterparties – natural persons shall include

last name, first name, patronymic;

citizenship;

passport details or details of any other identity documents (series, number, date of issue, name of the issuing authority, etc.);

household registration (including address, date of registration);

number and series of a state social insurance policy;

information on education, advanced training, occupational training, academic degree, academic rank;

bank account details;

taxpayer identification number;

specialty, occupation, qualification;

contact information (including, business phone number, home and/or mobile phone number, email, etc.);

details of the certificate of title;

any other information required to perform mutual rights and obligations by the health care institution and a counterparty.

7.7. A patient’s personal and other data shall include

last name, first name, patronymic;

citizenship;

date of birth;

passport details or details of any other identity documents (series, number, date of issue, name of the issuing authority, etc.);

household registration (including address, date of registration);

actual residence;

passport details or details of any other identity documents (series, number, date of issue, name of the issuing authority, etc.);

employment details (place of work, job title);

information on social benefits;

gender;

height, weight;

biometric personal data (including photos, images from surveillance footage, voiceprint);

genetic personal data;

medical data;

family medical history;

past medical history;

history of allergy;

drug sensitivity;

response to immunological medicinal products;

history of blood transfusion;

obstetric and gynecological history (for women);

metric data;

preventive vaccination;

final diagnoses;

laboratory tests, radiological examinations, function tests;

surgery;

emergency care;

provision of medicines and medical products;

non-drug treatment;

physiotherapy;

physical therapy and massage;

alternative treatment;

radiotherapy;

periodic health examinations;

temporary disability;

disability;

data from registries;

private health information (facts of medical encounters, health status, information on diseases, diagnosis, methods of treatment, risks associated with medical interventions, alternatives to medical interventions, other personal data results of pathological investigation);

other data required to provide medical care to patients, to register and consider encounters.

7.8. Personal data of other subjects shall include

contact information (including, business phone number, home and/or mobile phone number, email, etc.);

passport details or details of any other identity documents (series, number, date of issue, name of the issuing authority, etc.);

household registration (including address, date of registration);

number and series of a state social insurance policy;

information on education, advanced training, occupational training, academic degree, academic rank;

bank account details;

taxpayer identification number;

specialty, occupation, qualification;

any other information required to perform mutual rights and obligations by the health care institution and a counterparty.

Chapter 8

CONDITIONS OF PERSONAL DATA PROCESSING AT THE HEALTH CARE INSTITUTION

8.1. Personal data shall be processed at the health care institution with the consent of the personal data subject unless otherwise provided for by the laws of the Republic of Belarus on personal data.

8.2. The health care institution shall not disclose or distribute personal data without consent of the personal data subject to any third parties unless otherwise provided for by the laws of the Republic of Belarus.

8.3. The health care institution shall be entitled to authorize a third party to process personal data on behalf of the health care institution on the basis of a contract with this third party.

The contract shall contain

goals of personal data processing;

list of actions carried out with personal data by an authorized person;

obligations to maintain personal data confidential;

measures to protect personal data in accordance with Article 17 of Law No. 99-З of the Republic of Belarus as of May 7, 2021 “On Personal Data Protection”.

An authorized person shall not be obliged to obtain the consent of a personal data subject. If the consent for processing of personal data on behalf of the health care institution is required, the health care institution shall obtain such consent.

8.4. For the purpose of internal information support the health care institution may create with the written consent of a personal data subject the internal reference materials containing the personal data subject’s last name, first name, patronymic, place of work, job title, year and place of birth, address, subscriber number, email and other personal data provided by the personal data subject, unless otherwise provided for by the laws of the Republic of Belarus.

8.5. Only the employees of the health care institutions, who occupy the positions specified in the list of positions having access to personal data shall have access to personal data processed at the health care institution.

Chapter 9

RIGHTS AND OBLIGATIONS OF PERSONAL DATA SUBJECTS

9.1. Any personal data subject shall be entitled to

9.1.1.withdraw its consent for personal data processing at any time without giving reasons by submitting a relevant application to the Operator in accordance with the procedure specified in Article 14 of Law No. 99-З of the Republic of Belarus as of May 7, 2021 “On Personal Data Protection” or in the form by which it gave its consent;

9.1.2. obtain information on processing of its personal data, including

the Operator’s name (last name, first name, patronymic (if any) and location (address of residence/stay);

confirmation of personal data processing by the Operator (an authorized person); its personal data and source of data;

legal grounds for and purposes for personal data processing; duration of its consent;

name and location of an authorized person, if such authorized person is a government authority, legal entity of the Republic of Belarus or any other organization; any other information specified by the laws;

9.1.3. ask the Operator to modify its personal data, if such data is incomplete, outdated or inaccurate. For this purpose the personal data subject shall submit the application to the Operator in accordance with the procedure specified in Article 14 of Law No. 99-З of the Republic of Belarus as of May 7, 2021 “On Personal Data Protection” and attach to the application the relevant documents and/or duly certified copies of the documents confirming the necessity to amend personal data;

9.1.4. get from the Operator information on provision of its personal data to any third persons once in a year on a free basis unless otherwise is provided for by Law No. 99-З of the Republic of Belarus as of May 7, 2021 “On Personal Data Protection” and other legal acts. To get such information, a personal data subject shall submit a relevant application to the Operator. The application shall contain the personal data subject’s last name, first name, patronymic (if any), address of residence/stay, date of birth, identification number (If the personal data subject has no identification number, it shall provide the number of identity document provided that the personal data subject has specified this information upon provision of consent or if personal data is processed without consent of the personal data subject), essence of requirements, personal signature or digital signature;

9.1.5. ask the Operator to terminate its personal data processing free of charge, including destruction of such data, if there are no grounds for personal data processing in accordance with Law No. 99-З of the Republic of Belarus as of May 7, 2021 “On Personal Data Protection” or other legal acts. To exercise the right the personal data subject shall submit an application to the Operator in accordance with the procedure specified in Law No. 99-З of the Republic of Belarus as of May 7, 2021 “On Personal Data Protection”;

9.1.6. appeal against the Operator’s actions (inactions) and decisions which violate the personal data subject’s right during processing of personal data in accordance with the procedure set forth by the laws on appeals from citizens and legal entities.

9.2. A personal data subject’s right to access to its personal data may be restricted in accordance with the laws of the Republic of Belarus.

9.3. All applications from personal data subjects and their representatives relating to personal data processing shall be registered in a relevant registry.

9.4. A personal data subject shall

provide reliable personal data to the health care institution;

timely inform the health care institution on any modifications of and supplements to its personal data;

exercise its rights in accordance with the laws of the Republic of Belarus and the by-laws of the health care institution on personal data processing and protection;

perform other obligations provided for by the laws of the Republic of Belarus and the by-laws of the health care institution on personal data processing and protection.

Chapter 10

RIGHTS AND OBLIGATIONS OF THE OPERATOR

10.1. The Operator shall be entitled to

set the rules of personal data processing at the health care institution;

amend and supplement the Regulation;

develop on its own in accordance with the laws and use the document forms required to perform its obligations;

exercise other rights set forth by the laws of the Republic of Belarus and the by-laws of the health care institution on personal data processing and protection.

10.2. The Operator shall

explain to a personal data subject its right relating to personal data processing;

obtain the consent of a personal data subject except as otherwise provided for by Law No. 99-З of the Republic of Belarus as of May 7, 2021 “On Personal Data Protection” and other legal acts;

protect personal data in the course of its processing;

provide a personal data subject with the information on its personal data and the information on provision of a personal data subject’s personal data to any third parties except as otherwise provided for by Law No. 99-З of the Republic of Belarus as of May 7, 2021 “On Personal Data Protection” and other legal acts;

modify incomplete, outdated or inaccurate personal data except for the cases where legal acts set forth any other procedure for the modification of personal data or when further modification of personal data does not comply with the goals of personal data processing;

terminate personal data processing and to delete or block it (ensure termination of personal data processing, its deletion or blocking by an authorized person) if there are no grounds for personal data processing as provided for by Law No. 99-З of the Republic of Belarus as of May 7, 2021 “On Personal Data Protection” and other legal acts;

immediately notify the data protection authority on any breach of the data protection systems but no later than 3 (three) working days after the Operator has learnt about such breach except in cases provided for by the data protection authority;

modify, block and delete unreliable personal data or illegally obtained personal data upon the request from the data protection authority except for the cases where legal acts set forth any other procedure for the modification, blocking or deletion of personal data;

fulfill other requirements of the data protection authority relating any violations of the laws on personal data;

perform other obligations stipulated in Law No. 99-З of the Republic of Belarus as of May 7, 2021 “On Personal Data Protection” and other legal acts.

Chapter 11

SUPERVISION OF THE COMPLIANCE WITH THE LAWS OF THE REPUBLIC OF BELARUS AND BY-LAWS OF THE HEALTH CARE INSTITUTION ON PERSONAL DATA, INCLUDING PERSONAL DATA PROTECTION

11.1. The compliance with the laws of the Republic of Belarus and by-laws of the health care institution on personal data, including personal data protection, at the health care institution shall be supervised with a view to verifying the compliance of personal data processing by the health care institution with the laws of the Republic of Belarus and by-laws of the health care institution on personal data, including personal data protection, and with a view to making efforts to prevent and detect any violations of the laws of the Republic of Belarus on personal data, to detect possible paths of data leakage and unauthorized access to personal data, to eliminate the effects of such violations.

11.2. A person responsible for the arrangement of personal data processing at the health care institution shall supervise the compliance with the laws of the Republic of Belarus and by-laws of the health care institution on personal data , including personal data protection, at the health care institution.

11.3. The chiefs of the units shall be personally liable for the supervision of the compliance with the laws of the Republic of Belarus and by-laws of the health care institution on personal data at the health care institution and for the confidentiality and protection of personal data at the relevant units of the health care institution.

Chapter 12

LIABILITY

12.1. Any person shall be held liable for any violation of Law No. 99-З of the Republic of Belarus as of May 7, 2021 “On Personal Data Protection” in accordance with legal acts.

12.2. If any employee or other person violates the Regulation or the laws of the Republic of Belarus on persona data, they may be exposed to disciplinary and material liability in accordance with the procedure stipulated in the Labour Code of the Republic of Belarus or may be exposed to civil, administrative or criminal liability in accordance with the procedure set forth by the laws of the Republic of Belarus.

12.3. Civil Liability

A personal data subject may seek reimbursement for property damages, losses and moral damage caused by violation of its rights (Clause 2 of Article 19 of the Law “On Personal Data Protection”, Clause 8, 10 of Article 11 of the Civil Code of the Republic of Belarus).

12.4. Disciplinary Liability

An employment contract with an employee may be terminated due to any violation of personal data processing procedure by the employee. Any employee may be discharged for disciplinary reasons if the employee has violated the procedure for the

collection of personal data;
systematization of personal data;
storage of personal data;
modification of personal data;
use of personal data;
depersonalization of personal data;
blocking of personal data;
distribution of personal data;
provision of personal data;
deletion of personal data (Clause 10 of Part 1 of Article 47, Clause 4 Part 1 of Article 198 of the Labour Code of the Republic of Belarus).

The liable persons may also be exposed to administrative or criminal liability.

Annex 1

to the Operator’s personal data processing policy

REGULATION

on personal data processing and protection at the health care institution “the 10th City Clinical Hospital”

Chapter 1

GENERAL PROVISIONS

This Regulation on personal data processing and protection (hereinafter referred to as the Provision) shall set forth the policy of the health care institution “the 10th City Clinical Hospital” (hereinafter referred to as the Organization) with respect to personal data processing, the procedure for processing by the Organization of personal data, including the procedures for the collection, storage, use, transfer and protection of such data.
Personal data handling shall be regulated with a view to ensuring rights and freedoms of citizens, to maintaining confidentiality of personal data and to protecting it.
This Regulation and any amendments thereto shall be approved by the chief physician of the Organization. This Regulation shall be deemed to be a by-law of the Organization binding upon the employees and other parties involved in personal data processing in accordance with this Regulation.
This Regulation has been drawn up on the basis of and pursuant to

Constitution of the Republic of Belarus;

Labour Code of the Republic of Belarus;

Law No. 99-З of the Republic of Belarus as of May 7, 2021 “On Personal Data Protection”;

Law No.418-З of the Republic of Belarus as of July 21, 2008 “On Population Register”;

Law No. 455-З of the Republic of Belarus as of November 10, 2008 “On Information, Informatization and Information Protection”;

Law No.114-З as of May 28, 2021 “On Revision of laws on labour relations”;

other legal acts and regulations of the Republic of Belarus.

Chapter 2

BASIC TERMS AND DEFINITIONS

In this Regulation

“Organization” or “Operator” means the health care institution “the 10^th City Clinical Hospital”;

“Personal data” means information relating to an identified or identifiable natural person or legal entity.

“Personal data subject” or “Subject” means a natural person not an employee of the Organization whose personal data is processed by the Organization;

“Personal data processing” means any action or series of actions with personal data, including collection, systematization, storage, modification, use, depersonalization, blocking, distribution, provision and deletion of personal data;

“Automated personal data processing” means personal data processing with the help of computers;

“Non-automated personal data processing” means use, clarification, distribution, deletion of personal data performed with a direct involvement of a human provided that the search and/or access to personal data is ensured according to certain criteria (card catalogues, lists, databases, record books, etc.);

“Distribution of personal data” means any actions aimed at disclosing personal data to general public;

“Provision of personal data” means any actions aimed at disclosing personal data to a certain person or persons;

“Blocking of personal data” means a termination of access to personal data without deleting it;

“Deletion of personal data” means any actions, which make it impossible to restore personal data in the personal data information recourses (systems), and/or result in the destruction of physical storage media;

“Depersonalization of personal data” means actions which make it impossible to establish a connection between personal data and a specific personal data subject without using additional information;

“Cross-boarder transfer of personal data” means any transfer of personal data to the territory of a foreign state;

“Identifiable natural person” means a natural person who can be directly or indirectly identified by the last name, first name, patronymic, date of birth, identification number, or by one or several characteristics of a natural person’s physical, psychological, mental, economic, cultural or social identity.

This Regulation contains other terms and definitions which have the meanings specified in the Civil Code of the Republic of Belarus, Law No.2435-XII of the Republic of Belarus as of June 18, 1993 “On Health Care”; Law No.418-З of the Republic of Belarus as of July 21, 2008 “On Population Register”; Law No. 455-З of the Republic of Belarus as of November 10, 2008 “On Information, Informatization and Information Protection”, Law No.113-З of the Republic of Belarus as of December 28, 2009 “On Electronic Document and Electronic Digital Signature”.

Chapter 3

CATEGORIES OF PERSONAL DATA SUBJECTS

The Organization shall process personal data of the following subjects:

employees and other representatives of the Organization; employees’ relatives; job candidates;

employees and other representatives of counterparties – legal entities;

counterparties – natural persons;

customers;

patients;

other subjects whose personal data is to be processed due to cooperation with the Operator.

Chapter 4

CONTENT AND AMOUNT OF PERSONAL DATA

The content and amount of personal data shall be determined separately for each category considering the goals of personal data processing, the execution by the Organization of its rights and obligations and the rights and obligations of relevant subjects.

An employee’s relatives personal data shall include last name, first name, patronymic; date of birth; citizenship; passport details or details of any other identity documents (series, number, date of issue, name of the issuing authority, etc.); marital status and family composition, specifying the last names, first names, patronymics of family members, dates of birth, places of work and/or study; household registration (including address, date of registration); actual residence; number and series of the state social insurance policy; medical details (where provided for by the laws); details of social benefits and payments;

contact information (including, business phone number, home and/or mobile phone number, email, etc.).

A job candidate’s personal data shall include last name (all previous last names), first name, patronymic; date and place of birth;

citizenship; passport details or details of any other identity documents (series, number, date of issue, name of the issuing authority, etc.); details of the certificate of birth (number, date of issue, name of the issuing authority, etc.); gender; marital status and family composition, specifying the last names, first names, patronymics of family members, dates of birth, places of work and/or study; household registration (including address, date of registration); actual residence; number and series of the state social insurance policy; information on education, advanced training, occupational training, academic degree, academic rank; employment details (including length of service, experience, employment data specifying a job title, division, employer details, etc.); specialty, occupation, qualification; military service details;

medical details (where provided for by the laws); biometric personal data (including photos, images from surveillance footage, voiceprint); information on social benefits and payments; contact information (including, business phone number, home and/or mobile phone number, email, etc.);

information on rewards and encouragements; information provided by a job candidate when filling out personality questionnaires and taking psychometric tests and the results of such tests (psychometric profile, skills and characteristics);

any other information specified in a candidate’s CV or application form.

Personal data of employees and other representatives of the Organization shall include last name (all previous last names), first name, patronymic; date of birth; citizenship; passport details or details of any other identity documents (series, number, date of issue, name of the issuing authority, etc.); details of visa and other migration documents; gender; place of stay; biometric personal data (including photos, images from surveillance footage, voiceprint); information on social benefits and payments; contact information (including, business phone number, home and/or mobile phone number, email, etc.); any other information required to perform mutual rights and obligations.
Personal data of employees and other representatives of counterparties ‑ legal entities shall include last name, first name, patronymic; passport details or details of any other identity documents (series, number, date of issue, name of the issuing authority, etc.); household registration (including address, date of registration);

contact information (including, business phone number, home and/or mobile phone number, email, etc.); job title; any other information required to perform mutual rights and obligations by the Organization and a counterparty.

Personal data of counterparties – natural persons shall include last name, first name, patronymic; citizenship passport details or details of any other identity documents (series, number, date of issue, name of the issuing authority, etc.); household registration (including address, date of registration); number and series of the state social insurance policy; information on education, advanced training, occupational training, academic degree, academic rank; bank account details; taxpayer identification number; specialty, occupation, qualification; contact information (including, business phone number, home and/or mobile phone number, email, etc.); details of the certificate of title; any other information required to perform mutual rights and obligations by the Organization and a counterparty.
A customer’s personal data shall include last name, first name, patronymic; contact information; date of birth, gender; height, weight, other data required to register and study the application.

A patient’s personal data shall include last name, first name, patronymic; contact information (including, business phone number, home and/or mobile phone number, email, etc.); passport details or details of any other identity documents (series, number, date of issue, name of the issuing authority, etc.); household registration (including address, date of registration); number and series of the state social insurance policy; private health information; any other information required to perform mutual rights and obligations by the Organization and a patient.

Personal data of other subjects shall include last name, first name, patronymic; contact information (including, business phone number, home and/or mobile phone number, email, etc.); passport details or details of any other identity documents (series, number, date of issue, name of the issuing authority, etc.); household registration (including address, date of registration); number and series of the state social insurance policy; information on education, advanced training, occupational training, academic degree, academic rank; bank account details; taxpayer identification number; specialty, occupation, qualification; any other information required to perform mutual rights and obligations by the Organization and a counterparty.

Chapter 5

PRINCIPLES OF PERSONAL DATA PROCESSING

The principals of personal data processing shall be as follows

personal data shall be processed in accordance with Law No. 99-З of the Republic of Belarus as of May 7, 2021 “On Personal Data Protection” and other legal acts;

personal data shall be processed in accordance with the stated goals considering the interests of all persons concerned;

personal data shall be processed with the consent of a personal data subject unless otherwise provided for by the legal acts;

personal data processing shall be limited to the specific stated goals. Personal data processing not complying with the stated goals shall be not allowed;

the content and amount of personal data to be processed shall comply with the stated goals of processing. Personal data to be processed shall not be redundant with regard to the stated goals of processing;

personal data processing shall be transparent. Any personal data subject may be provided with information relating to its personal data processing in accordance with Law No. 99-З of the Republic of Belarus as of May 7, 2021 “On Personal Data Protection”;

the Operator shall take reasonable measures to ensure accuracy of personal data to be processed and to update personal data if necessary;

personal data shall be stored in the form enabling to identify a personal data subject as long as required by the stated goals of personal data processing.

Chapter 6

PURPOSES OF PERSONAL DATA PROCESSING

The personal data of personal data subjects shall be processed with a view to

exercising the functions, powers and obligations imposed on the Organization by the laws of the Republic of Belarus and international agreements to which the Republic of Belarus is the party;

providing benefits and compensations to the employees’ relatives; detecting a conflict of interest;

considering the possibility of employment of candidates; recording of human resources;

checking of candidates (including checking of their qualification and employment history); arranging and supporting business trips;

running events with the participation of personal data subjects;

ensuring the security and preservation of material assets and prevention of law violations;

issuing powers of attorneys and other authorizations; negotiating; making and executing contracts; checking counterparties;

advertising and promoting the products, including provision of information on the products of the Organization;

processing claims and applications containing information on product safety;

processing applications relating to adverse events and side effects; performing the obligations of a tax withholding agent;

achieving other goals aimed at the compliance with employment contracts, laws and other regulations.

Personal data shall be processed solely for one or several specified legitimate purposes. If personal data has been collected and processed for a certain purpose, such personal data may be used for other purposes only after notifying the personal data subject hereof and, if applicable, obtaining the consent for processing from the personal data subject.
Personal data may be processed for other legitimate purposes.

Chapter 7

RULES OF PERSONAL DATA PROCESSING

General Rules.

19.1. Personal data shall be processed both automatically and non-automatically, including use of the intranet and internet.

19.2. No personal data shall be processes except with the consent or written consent of a relevant personal data subject where provided for by the laws of the Republic of Belarus.

19.3. A written consent of a personal data subject shall contain

last name, first name, patronymic (if any); date of birth;

ID number. If a personal data subject has no ID number, the written consent shall contain the number of an identity document; personal data subject’s signature.

If no information is to be processed for the purposes of personal data processing, such information shall not be processed by the Operator upon receipt of the consent of a personal data subject.

19.4. No consent of a personal data subject for processing of its personal data, except for special personal data, shall be required

to conduct administrative and/or criminal proceedings, investigative activities;

to deliver justice, to execute court orders and other executive documents;

to supervise (control) in accordance with legal acts;

to implement legal norms of national security, combat corruption, money laundering, terrorist financing and financing of proliferation of weapons of mass destruction;

to implement legal norms relating to elections, referendum, recall of deputies of the House of Representatives, members of the Council of the Republic of the National Assembly of the Republic of Belarus, deputies of local Councils of Deputies;

to maintain records of insured persons for the purposes of state social insurance, including occupational pension insurance;

to arrange employment (work) relations;

to carry out notary services;

to consider the issues relating to the citizenship of the Republic of Belarus, to grant refugee status, additional protection, asylum and temporary protection in the Republic of Belarus, to grant and pay pensions and allowances;

to arrange and conduct state statistical surveys, to generate official statistical data;

to achieve scientific and other research goals provided that personal data is depersonalized;

to record, calculate and charge payment for utility and communal services, payment for accommodation, electricity and other services; to refund taxes, grant benefits, collect household, accommodation and electricity debts;

to obtain personal data by the Operator pursuant to the contract made with a personal data subject and to perform the activities specified therein;

to process personal data specified in the document signed by a personal data subject and referred to the Operator, in accordance with the content of this document;

to carry out professional activities by journalists and/or activities by mass media organizations, publishers with a view to protecting their interests, detecting and disclosing of information which endangers the national security, public order, public health, environment, information which may influence the performance by state officials of their obligations, except for the cases provided for the civil, procedural, economic, criminal and administrative laws;

to protect life, health or other vital interests of a personal data subject or other persons, if it is impossible to obtain the consent of the personal data subject;

with regard to the personal data which has been distributed before the personal data subject claims to terminate its personal data processing and to delete it provided that there are no other grounds for personal data processing pursuant to Law No. 99-З of the Republic of Belarus as of May 7, 2021 “On Personal Data Protection” and other legal acts;

when personal data processing is required to perform the obligations (powers) specified in legal acts;

when Law No. 99-З of the Republic of Belarus as of May 7, 2021 “On Personal Data Protection” and other legal acts directly specify processing of personal data without the consent of a personal data subject.

19.5. Special personal data of a personal data subject shall be processed only with the consent of the personal data subject except for the following cases

if a personal data subject has made its special personal data publicly available;

upon the arrangement of employment (work) relations and during the employment (work) of a personal data subject where provided for by the laws;

in the course of processing by public associations, political parties, trade unions, religious organizations of personal data of their founders (members) for the statutory purposes provided that such data shall not be distributed otherwise than with the consent of the personal data subject;

with a view to providing medical care provided that such personal data is processed by a medical specialist, pharmaceutical specialist or any other health care specialist who is obliged to protect personal data and private health information in accordance with the laws;

to deliver justice, execute court orders and other executive documents; to execute executive notes; to register the rights to inherit;

for the purposes of administrative and/or criminal proceedings; for the purposes of investigative activities;

where provided for by the correctional law; laws of national security, defense laws; anti-corruption laws, anti-money laundering laws, laws on combating terrorist financing and financing of proliferation of weapons of mass destruction; law on the national border of the Republic of Belarus, law of citizenship; law on the procedure for exiting and entering the Republic of Belarus, law on refugee status, additional protection, asylum and temporary protection in the Republic of Belarus;

for the purposes of the single national system of registration and recording of law violations; for the purposes of keeping the criminal records;

to arrange and conduct state statistical surveys, to generate official statistical data; to execute administrative procedures;

with regard to execution of international readmission agreements to which the Republic of Belarus is a party;

during recording of population;

to protect life, health or other vital interests of a personal data subject or other persons, if it is impossible to obtain the consent of the personal data subject;

when special personal data processing is required to perform the obligations (powers) specified in legal acts;

Special personal data shall be processed only if a set of measures is taken to prevent the risks related to the rights and freedoms of personal data subjects.

19.6. Collection of personal data

19.6.1. A personal data subject shall be the source of all personal data.

19.6.2. The Organization shall be entitled to obtain personal data of a personal data subject from third parties only if the personal data subject is informed thereof or if a personal data subject provides a written consent for obtaining of its personal data from the third parties unless otherwise provided for by Law No. 99-З of the Republic of Belarus as of May 7, 2021 “On Personal Data Protection”.

19.6.3. The notification of a personal data subject on obtaining its personal data from third parties shall contain

the name of the Operator, its location address, the purpose and legal grounds for personal data processing, intended users of personal data, rights of a personal data subject, source of personal data.

Storage of personal data

19.7.1. Personal data shall be stored in compliance with the conditions which provide its safety.

19.7.2. The paper documents containing personal data shall be stored in the designated access-restricted areas where they are protected from unauthorized access. The list of such areas shall be specified by the Organization.

19.7.3. The personal data n the electronic form shall be protected from unauthorized access with the help of special hardware and software safeguards. The personal data in electronic form shall be stored only in information systems of the Organization and databases (external storage of personal data) specified by the Organization.

19.7.4. Personal data shall be stored in the form enabling to identify a personal data subject as long as required by the stated goals of personal data processing unless any other terms are specified by the laws of the Republic of Belarus or any contract to which a personal data subject is a party, beneficiary or a guarantor.

19.7.5. Processed personal data shall be destroyed or depersonalized if the goals of processing are achieved, if there is no further need for achieving of goals, or if the period of storage of personal data is expired unless otherwise provided for by the laws.

19.7.6. Personal data shall be destroyed or depersonalized in a manner that prevents any further processing of such personal data. At the same time it shall be possible to process other data stored on relevant physical media, if necessary (deletion, cancellation).

19.7.7. If it is necessary to destroy or block a piece of personal data, the data not be destroyed or blocked shall be copied in a manner which eliminates the possibility to simultaneously copy the personal data to be destroyed or blocked; after that a relevant physical medium shall be destroyed or blocked.

19.8. Use

19.8.1. Personal data shall be processed and used for the purposes specified in Clause 6.1. of the Regulation.

19.8.2. Only the employees of the Organization, whose job duties include working with personal data, shall have access to personal data for the period required to work with such data. The list of employees shall be specified by the Organization.

19.8.3. If it is necessary to provide access to personal data to any employees not specified in the list of the persons who have access to personal data, such employees may obtain a temporary access to a limited portion of personal data by order of the chief physician of the Organization or by order of any other person authorized by the chief physician of the Organization. Such employees shall read and sign the personal data confidentiality letter.

19.8.4. The employees who process personal data non-automatically shall be informed (including reading of this Regulation) on the fact they process personal data, on the categories of personal data being processed, on special aspects and rules for personal data processing specified by the laws and this Regulation.

19.8.5. No employee shall have access to personal data without a duly made permit.

19.8.6. If it is necessary to use or distribute certain personal data stored on the physical medium together with other personal data, the personal data to be used or distributed shall be copied in a manner which eliminates the possibility to simultaneously copy the personal data not to be used or distributed, and the copy of personal data shall be used (distributed).

19.8.7. Personal data processed non-automatically shall be clarified by updating or changing the data stored on the physical medium or, if it is impossible to do so due to technical characteristics of the physical medium, by recording the information on updates and changes on the same physical medium, or by making a new physical medium containing the clarified personal data.

19.9. Transfer

19.9.1. Only minimum volume of personal data may be transferred to any third persons provided that such data is transferred with a view to achieving the goals for which this data has been collected.

19.9.2. No personal data shall be transferred to any third persons, including transfer for commercial purposes, except from the consent of a personal data subject or any other legal grounds

19.9.3. A personal data subject shall be notified of any transfer of its personal data to any third persons except where otherwise provided for by the laws, in particular, if

a personal data subject is notified that the Operator get its personal data from the Organization and processes it;

personal data has been made publicly available by a personal data subject or has been obtained from a publicly available source;

personal data is processed for statistical or other research purposes, for mass media reasons or any other scientific, literary or creative activities provided that the rights and legitimate interests of a personal data subject are not violated.

19.9.4. Any information, containing personal data, shall be transferred in a manner that prevents an unauthorized access to, deletion, modification, blocking, copying, distribution of such information or any illegal acts with respect to it.

19.9.5. No cross-border personal data transfer shall be allowed if the rights of personal data subjects are not duly protected on the territory of a foreign state except when

a personal data subject has been notified of possible risks related to the lack of due protection of its personal data and has agreed on such transfer;

personal data has been obtained under the contact with the personal data subject and is transferred with a view to performing the activities stipulated in such contact;

personal data may be obtained upon the request of any person pursuant to the procedure and in cases provided for by the laws;

such transfer is required to protect life, health or other vital interests of a personal data subject or other persons when it is impossible to obtain the consent of the personal data subject;

personal data are processed under the international agreements to which the Republic of Belarus is a party

personal data is transferred by a financial monitoring agency with a view to taking measures to prevent money laundering, terrorist financing and financing of proliferation of weapons of mass destruction in accordance with the laws;

a relevant permit from an authority protecting the rights of personal data subjects has been obtained.

19.9.6. The persons who obtain personal data shall be notified that the obtained personal data may be used only for the purposes for which it has been provided and shall be kept confidential. The Organization shall be entitled to ask such persons to provide a relevant confirmation.

19.9.7. Relevant information may be provided to them in accordance with the procedure specified by the laws of the Republic of Belarus if the government authorities are entitled to ask for personal data or if personal data is to be provided according to the laws or an inquiry from the court.

19.9.8. All inquiries shall be referred to a person responsible for the arrangement of personal data processing at the Organization for a preliminary consideration and approval.

19.9. Order for processing

19.9.1. The Organization shall be entitled to assign an authorized person to process personal data.

19.9.2. The contract between the Operator and an authorized person, a legal act or a decision of a government authority shall contain

purposes of personal data processing;

list of actions an authorized person will do with respect to personal data;

obligations to maintain confidentiality of personal data, measures to protect personal data in accordance with Law No. 99-З of the Republic of Belarus as of May 7, 2021 “On Personal Data Protection”;

19.9.3. An authorized person must not obtain the consent of a personal data subject. If the authorized person needs to obtain the consent of the personal data subject for processing of its personal data on behalf of the Operator, the Operator shall obtain such consent.

19.9.4. If the Operator assigns an authorized person to process personal data, the Operator shall be liable to the personal data subject for any activities performed by the authorized person. The authorized person shall be liable to the Operator.

Protection

19.10.1. Personal data protection shall mean a series of legal, organizational and technical measures aimed at

protecting information from an unauthorized access, destruction, modification, blocking, copying, provision and from other illegal actions with respect to such information;

maintaining confidentiality of restricted information; exercising the rights to access to information.

19.10.2. The Operator shall take all necessary measures provided for by the laws (included but not limited to):

to restrict and specify the list of employees, who are to have access to the information containing personal data (including the use of passwords for electronic information resources);

to provide conditions for restricted storage of the documents containing personal data;

to arrange the procedure for destruction of the information containing personal data, if the laws do not specify the requirements for storage of relevant data;

to control the compliance with the personal data protection requirements, including those stipulated in this Regulation (by internal checking, by using specials means of monitoring, etc.);

to investigate all cases of unauthorized access or disclosure of personal data and hold those responsible to account; to take other measures;

to implement electronic data protection hardware and software;

to ensure recovery of the personal data that has been modified or destroyed as result of unauthorized access.

19.10.3. To protect personal data in the course of its processing in the information systems, the Organization shall take all necessary measures provided for by the laws (included but not limited to):

to detect security threats in the course of personal data processing, to use organizational and technical measures aimed at protecting personal data during its processing in the personal data information systems;

to record personal data media;

to detect any unauthorized access to personal data and to take relevant measures;

to recover the personal data that has been modified or destroyed as result of unauthorized access;

to set the rules on access to the personal data processed in the personal data information system, to register and record all actions with personal data in the personal data information system.

19.10.4. The Organization has assigned the persons responsible for personal data processing.

19.10.5. The Organization takes other measures aimed at performing the obligations on personal data provided for by the laws of the Republic of Belarus.

19.11. Resolution No.74 of the Ministry of Health of the Republic of Belarus as of June 7, 2021 “On Forms and procedures for the provision and withdrawal of a patient’s consent for the entry and processing of their personal data” shall be applied in the course of entering and processing patients’ personal data and private health information; in the course of creating patients’ electronic medical records, information systems, information resources, databases (data banks), health care registers (registries); in the course of notifying patients or other persons specified in Part 2 of Article 18 of Law No.2435-XII of the Republic of Belarus as of June 18, 1993 “On Health Care”.

Chapter 8

RIGHTS AND OBLIGATIONS OF PERSONAL DATA SUBJECTS

Any personal data subject shall be entitled to

20.1. withdraw its consent for personal data processing at any time without giving reasons by submitting a relevant application to the Operator in accordance with the procedure specified in Article 14 of Law No. 99-З of the Republic of Belarus as of May 7, 2021 “On Personal Data Protection” or in the form by which it gave its consent;

20.2. obtain information on processing of its personal data, including

the Operator’s name (last name, first name, patronymic (if any) and location (address of residence/stay);

confirmation of personal data processing by the Operator (an authorized person);

its personal data and source of data; legal grounds for and purposes for personal data processing; duration of its consent;

name and location of an authorized person, if such authorized person is a government authority, legal entity of the Republic of Belarus or any other organization;

any other information specified by the laws;

20.3. ask the Operator to modify its personal data, if such data is incomplete, outdated or inaccurate. For this purpose the personal data subject shall submit the application to the Operator in accordance with the procedure specified in Article 14 of Law No. 99-З of the Republic of Belarus as of May 7, 2021 “On Personal Data Protection” and attach to the application the relevant documents and/or duly certified copies of the documents confirming the necessity to amend personal data;

20.4. get from the Operator information on provision of its personal data to any third persons once in a year on a free basis unless otherwise is provided for by Law No. 99-З of the Republic of Belarus as of May 7, 2021 “On Personal Data Protection” and other legal acts. To get such information, a personal data subject shall submit a relevant application to the Operator. The application shall contain the personal data subject’s last name, first name, patronymic (if any), address of residence/stay, date of birth, identification number (If the personal data subject has no identification number, it shall provide the number of identity document provided that the personal data subject has specified this information upon provision of consent or if personal data is processed without consent of the personal data subject), essence of requirements, personal signature or digital signature

20.5. ask the Operator to terminate its personal data processing free of charge, including destruction of such data, if there are no grounds for personal data processing in accordance with Law No. 99-З of the Republic of Belarus as of May 7, 2021 “On Personal Data Protection” or other legal acts. To exercise the right the personal data subject shall submit an application to the Operator in accordance with the procedure specified in Law No. 99-З of the Republic of Belarus as of May 7, 2021 “On Personal Data Protection”;

20.6. appeal against the Operator’s actions (inactions) and decisions which violate the personal data subject’s right during processing of personal data in accordance with the procedure set forth by the laws on appeals from citizens and legal entities.

A personal data subject’s right to access to its personal data may be restricted in accordance with the laws of the Republic of Belarus.
All applications from personal data subjects and their representatives relating to personal data processing shall be registered in a relevant registry.
A personal data subject shall

provide reliable personal data to Organization;

timely inform the Organization on any modifications of and supplements to its personal data;

exercise its rights in accordance with the laws of the Republic of Belarus and the by-laws of the Organization on personal data processing and protection;

perform other obligations provided for by the laws of the Republic of Belarus and the by-laws of the Organization on personal data processing and protection.

Chapter 9

RIGHTS AND OBLIGATIONS OF THE ORGANIZATION

The Organization shall be entitled to

set the rules of personal data processing at the Organization;

amend and supplement the Regulation;

develop on its own in accordance with the laws and use the document forms required to perform its obligations;

exercise other rights set forth by the laws of the Republic of Belarus and the by-laws of the Organization on personal data processing and protection.

The Organization shall

explain to a personal data subject its right relating to personal data processing;

obtain the consent of a personal data subject except as otherwise provided for by Law No. 99-З of the Republic of Belarus as of May 7, 2021 “On Personal Data Protection” and other legal acts;

protect personal data in the course of its processing;

fulfill other requirements of the data protection authority relating any violations of the laws on personal data;

perform other obligations stipulated in Law No. 99-З of the Republic of Belarus as of May 7, 2021 “On Personal Data Protection” and other legal acts.

Chapter 10

LIABILITIES

Any person shall be held liable for any violation of Law No. 99-З of the Republic of Belarus as of May 7, 2021 “On Personal Data Protection” in accordance with legal acts.
If any employee or other person violates the Regulation or the laws of the Republic of Belarus on persona data, they may be exposed to disciplinary and material liability in accordance with the procedure stipulated in the Labour Code of the Republic of Belarus or may be exposed to civil, administrative or criminal liability in accordance with the procedure set forth by the laws of the Republic of Belarus.

Annex 2

to the Operator’s personal data processing policy

REGULATION

on the procedure for maintaining personal data confidential during its processing

at the health care institution “the 10^th City Clinical Hospital”

Chapter 1

GENERAL PROVISIONS

This Regulation shall set the methods for the protection of personal data processed at the health care institution “the 10^th City Clinical Hospital” (hereinafter referred to as the Organization). Such measures shall be understood to mean any action or series of actions with personal data, including collection, systematization, storage, modification, use, depersonalization, blocking, distribution, provision and deletion of personal data.
This Regulation has been developed in accordance with

Constitution of the Republic of Belarus;

Labour Code of the Republic of Belarus;

Law No. 99-З of the Republic of Belarus as of May 7, 2021 “On Personal Data Protection”;

Law No.418-З of the Republic of Belarus as of July 21, 2008 “On Population Register”;

Law No. 455-З of the Republic of Belarus as of November 10, 2008 “On Information, Informatization and Information Protection”;

Law No.114-З as of May 28, 2021 “On Revision of laws on labour relations”;

other legal acts and regulations of the Republic of Belarus.

According to the laws of the Republic of Belarus personal data shall mean any information relating to an identified or an identifiable natural person, including the last name, first name, patronymic, date of birth, address, marital status, social status, financial status, education, profession, income, other information as may be necessary for the Organization to establish employment relations or to draw up, make, execute or terminate contracts with counterparties or to provide medical care.
The requirement to ensure confidentiality of personal data during its processing shall mean that the officials of the Organization who have access to personal data processing and other persons who have obtained access to personal data shall not distribute personal data without the consent of the personal data subject or without any other legal grounds.
Personal shall not be kept confidential if

personal data is depersonalized (the actions which make it impossible to identify the data owner without using additional information);

personal data is publicly available (personal data distributed by the personal data subject, with the consent of the personal subject or pursuant to the requirements of legal acts).

The chief physician of the Organization shall approve the lists of personal data and the lists of persons responsible for storage and processing of personal data. Confidential personal data shall not be stored or processed by any persons not specified in the order.
The Organization shall provide the conditions necessary for safe and confidential processing of personal data by the officials, who work with personal data. The Organization shall

require the employees to read the Personal Data Processing Policy of the health care institution “the 10^th City Clinical Hospital”, the Regulation on personal data processing and protection at the health care institution “the 10^th City Clinical Hospital”, this Regulation on the procedure for maintaining personal data confidential during its processing, job descriptions and other by-laws of the Organization on personal data confidentiality and protection, and to acknowledge in writing that they understand them;

provide storage facilities for the documents, tools for the access to information resources (access keys, passwords, etc.);

train the employees on the use of data security tools;

hold other events.

The officials of the Organization, who work with personal data, shall not disclose such data to any third party either orally or in writing if not due to an official requirement. After transfer of the prepared documents, the employee who has prepares the documents shall write the draft documents and versions of documents to the marked storage media. No databases (card catalogues, file achieves, etc.) containing confidential data shall be created and stored without an approval of a unit chief.
The officials of the Organization who work with personal data shall use any personal data only with a view to performing their work obligations.
After finishing the performance of the job functions relating to personal data processing, an employee shall transfer all personal data storage media (original documents, copies of documents, data media, paper media, etc.) used to perform its work obligations to the line manager.
No personal data shall be transferred to any third parties except where provided for by the laws of the Republic of Belarus, the Personal Data Processing Policy of the health care institution “the 10^th City Clinical Hospital”, the Regulation on personal data processing and protection at the health care institution “the 10^th City Clinical Hospital”, this Regulation on the procedure for maintaining personal data confidential during its processing, job descriptions and other by-laws of the Organization on personal data confidentiality and protection.

Any personal data shall be transferred by the official of the Organization who is responsible for personal data processing pursuant to a written or oral order of the chief of unit.

Any data or documents containing personal data shall be transferred under a duly executed handover act.

13 After provision of personal data to any third parties the official shall notify in writing the personal data subject thereof.

No personal data shall be transferred by phone, fax, email except where provided for by the laws and the applicable by-laws of the Organization.

The answers to the requests from the citizens and organizations shall not contain personal data except when the request contains personal data or personal data is available in public sources.

The officials of the Organization who work with personal data shall immediately inform their line managers and the lead network administrator (electronic engineer) of any cases of an unauthorized access or access attempts to personal data by any third parties, of any loss or shortage of personal data storage media, ID cards, passes, keys to safes (storage facilities), personal seals, electronic keys and other events which may result in an unauthorized access to personal data as well as on any causes and conditions of possible data leakage.
The officials of the Organization who process personal data shall be exposed to disciplinary, administrative, civil, legal or criminal liability for any violation of obligations of personal data confidentiality and protection in accordance with the laws of the Republic of Belarus.
No official of the Organization shall be released from the liability for improper performance of their obligations on protecting and keeping personal data confidential in case of lack of control by the Organization in accordance.

Chapter 2

PROCEDURE FOR THE PROTECTION OF PERSONAL DATA DURING NON-AUTOMATED DATA PROCESSING

If a person is directly involved in processing of personal data including those contained in the personal data information system or those extracted from such system, such processing shall be deemed to be non-automated processing.
The chief of the unit, which processes personal data non-automatically shall

determine the facilities for the storage of personal data and physical media;

monitor the data storage conditions at the units (the conditions shall ensure personal data protection and prevent any unauthorized access to personal data);

inform the persons, who process personal data non-automatically, of the list of personal data to be processed and of the special aspects and rules of such processing;

arrange the separate, not combined, storage of physical media (documents, discs, floppy discs, USB flash drives, etc.) that are processed for different purposes.

No personal data that is processed for different purposes shall be recorded to one physical medium. Each category of personal data processed non-automatically shall be recorded to a separate physical medium.
If data is to be processed for different purposes, the chief of unit shall ensure the separate processing of personal data.
If allowed by a physical medium, a portion of personal data shall be destroyed or depersonalized in a manner which prevents any further processing of such data, but makes it possible to process other data stored on this physical medium (deletion, cancellation).
Personal data processed non-automatically shall be clarified by updating or changing the data stored on the physical medium.

Chapter 3

PROCEDURE FOR THE PROTECTION OF PERSONAL DATA DURING AUTOMATED DATA PROCESSING

Automated personal data processing shall mean the performance of actions (operations) with personal data using the computers in the computer network of the Organization (hereinafter referred to as the OCN).

The personal data security system which includes organizational measures, information security tools and information technologies used in the OCN shall protect personal data in the course of its processing.

The security tools and security software shall comply with the requirements specified in the laws of the Republic of Belarus on data protection.

The information security tools used in the OCN shall be duly assessed for the compliance.

Automated personal data processing shall be allowed by the order of the Chief of the Organization provided there are access passwords.
Personal data in the OCN shall be handled in a manner that ensures the security of personal data storage media and information security tools and prevents an uncontrolled presence of any persons in the relevant premises.
Any computer and/or folder containing personal data shall be protected by an individual password.
No personal data shall be transferred over the public communication networks, including the internet, without special data security tools.
During processing of personal data in the OCN, the users shall

use the specified sections (catalogues) of data storage media embedded in the hardware or marked removable media;

avoid any physical impact on the hardware which can lead to its failure;

constantly use antivirus software with a view to detecting infected files and immediately recovering the personal data that has been modified or destroyed as a result of an unauthorized access thereto;

prevent any unauthorized carrying out, installment or connection of equipment, and deletion, installation and setting up of software.

During processing of personal data in the OCN, the developers and information system administrators shall

train the relevant persons on using the security tools of the OCN;

record the security tools, instruction manuals and technical specifications thereto;

control the compliance of the use of the security tools with the requirements specified in the instruction manuals and technical specifications;

describe the personal data security system.

Any specific requirements to personal data protection in certain automated systems of the Organization shall by determined in accordance with the duly approved operation manuals.

Chapter 4

THE PROCEDURE FOR THE RECORDING, STORAGE, USE AND DISPOSAL OF REMOVABLE STORAGE DEVICES AND HARD COPIES

All removable storage devices (discs, floppy discs, USD flash drives, etc.) containing personal data stored in and used by the Organization shall be registered. Each removable storage device containing personal data shall be marked with a unique registration number.
The lead network administrator (electronic engineer) shall issue and register removable personal data storage devices.

The employees of the Organization shall be provided with a registered removable storage device for a certain period with a view to performing work.

Upon receipt of a removable storage device the relevant entries shall be made in the register of removable personal data storage devices (hereinafter referred to as the Register) kept by the lead network administrator (electronic engineer).

After completing the work, the user shall return the removable storage device to the lead network administrator (electronic engineer) for storage. A relevant entry shall be made in the Register.

During work with removable storage devices, it shall be prohibited

to store the removable storage devices containing personal data together with the storage devices containing publicly available data, to store them on the desks, to leave them unattended or to transfer to any third persons for storage;

to carry out the removable storage devices containing personal data from the office premises with a view to working with them at home, in hotels, etc.

If personal data is to be sent or transferred to any recipients, only the personal data intended for the recipients shall be recorded to removable storage devices. Any personal data on removable storage devices shall be transferred to recipients according to the procedure set forth for the transfer of restricted documents. A personal transfer of removable storage devices containing personal data shall be approved by the chief physician of the Organization in writing.
The chief physician of the Organization shall be immediately notified of a loss of a removable storage device containing personal data or of a disclosure of personal data stored on removable storage devices.

A loss certificate shall be made in case of a loss of any storage devices. Relevant entries shall be made in the Registry.

Chapter 5

FINAL PROVISIONS

All employees of the units of the Organization and the persons who perform works under agreements and contracts and are involved into processing of personal data of employees of the Organization shall read this Regulation and acknowledge it in writing in the Access register. The lead network administrator (electronic engineer) shall be responsible for the instruction.