“Central Scientific Library Named After Yakub Kolas
of the National Academy of Sciences of Belarus”
State Institution

Minsk, 2022

1.1. The Policy regarding personal data processing (hereinafter referred to as the Policy) in the “Central Scientific Library Named After Yakub Kolas of the National Academy of Sciences of Belarus” State Institution (hereinafter referred to as the Operator) shall define the basic principles, goals, conditions and methods of the personal data processing, entities lists and personal data processed, functions of employees when processing personal data, rights of personal data entities, as well as requirements for the protection of personal data implemented by the Operator.

1.2. The Policy was developed taking into account the requirements of the Constitution of the Republic of Belarus, Law of the Republic of Belarus dated on July 5, 2021 No. 99-З “On Personal Data Protection” (hereinafter referred to as Law No. 99-З) and other regulatory legal acts of the Republic of Belarus in the field of personal data protection.

1.3. The provisions of the Policy shall serve as the basis for the development of local legal acts regulating the processing and protection of personal data of the Operator’s employees and other personal data entities.

1.4. The Policy shall be applied to the personal data processing of the following categories of entities: Operator users; authors of works or other individuals whose personal data is used in the creation of the Operator’s information resources; Operator’s employees or persons applying for employment; persons when concluding civil contracts.

1.5. For the purposes of this Policy, the terms “personal data processing”, “personal data”, “operator”, “personal data entity”, “authorised person”, etc. shall be used in the meanings defined in Law No. 99-З.

1.6. When organising processes for the personal data processing, the Operator shall proceed from the need for the participation of all employees within the framework of their job responsibilities in the personal data safety and transparency in their processing.

2.1. The Operator shall process personal data of its employees and other personal data entities who are not in an employment relationship with the Operator.

2.2. The personal data processing shall be implemented taking into account the need to ensure the protection of the personal data entities’ rights and freedoms, including the protection of the right to privacy, personal and family secrets based on the following principles:

• the personal data processing shall be implemented on a legal and fair basis;

• the personal data processing shall be implemented with the consent of the personal data entity, except for cases provided for by legislative acts;

• the personal data processing shall be limited to the achievement of specific, pre-declared legitimate purposes. The personal data processing that is incompatible with the originally stated purposes of their processing shall not be permitted;

• the content and volume of personal data processed shall correspond to the stated purposes of their processing. The personal data processed shall not be redundant in relation to the stated purposes of their processing;

• the personal data processing shall be transparent. The personal data entity shall be provided with relevant information regarding the processing of its personal data;

• the Operator shall take measures to ensure the credibility of the personal data processed by it and, if necessary, update them;

• the personal data storage shall be implemented in a form that allows identification of the personal data entity, no longer than required by the stated purposes of the personal data processing.

2.3. Personal data shall be processed by the Operator for the purposes of:

• implementation of functions, powers and responsibilities assigned by the legislation of the Republic of Belarus, including the provision of personal data to government authorities, to the Social Protection Fund of the Ministry of Labor and Social Protection of the Republic of Belarus, as well as to other government bodies;

• conducting personnel work and organising records of the Operator’s employees and candidates for employment;

• documents archival storage;

• employment relations regulation with the Operator’s employees (assistance in employment, paperwork for employment (personal file, etc.), training and promotion, creation of a personnel reserve, ensuring personal safety, monitoring the quantity and quality of work performed, ensuring property safety, sending medical examination, etc.);

• business trips and other official trips;

• execution of judicial acts, acts of other bodies or officials subject to execution in accordance with the legislation of the Republic of Belarus on enforcement proceedings;

• implementing administrative procedures (issuing certificates of wages, place of work, etc.);

• issuing powers of attorney and other authorising documents when representing the interests of the Operator in government bodies and other organisations;

• the personal data processing as part of the Operator’s commissions work;

• consideration of appeals from citizens and employees;

• conducting within the competence of military registration;

• maintaining accounting and tax records, calculating and paying wages (bonuses, etc.), calculating and paying reimbursements provided for by law for expenses incurred, compensation, compulsory social insurance, tax deductions and financial assistance;

• conducting video surveillance to ensure life protection, health or other vital interests of personal data entities;

• ensuring labour protection, industrial accidents investigation, fire safety and protection from emergency situations;

• ensuring access and intra-facility modes;

• registration as a user of the Operator and issuance of a library card (temporary reader card);

• identification of a registered user on the Operator’s websites;

• identification and authorisation of licensed information resources, provision of remote access to them;

• identification and authorisation of registered users in licensed information resources purchased by the Operator to provide remote access to them;

• ensuring library collections safety;

• organisation of reference materials for internal information support of the Operator’s activities;

• creation, editing, maintenance and distribution of information resources (databases) containing information about personal data entities;

• creation, editing and distribution of information products containing entities personal data;

• organising and conducting research work;

• holding and organising events, ensuring the participation of personal data entities in them (conferences, seminars, exhibitions, etc.);

• conclusion, execution and termination of contracts with counterparties;

• provision of services by the Operator (information services, bibliographic services, etc.);

• posting on social networks, on the Operator’s websites the results of photo and video shooting on the Operator’s premises;

• informing on the Operator’s websites about the Operator’s work;

• editorial and publishing activities;

• other lawful purposes.

2.4. The legal grounds for the personal data processing shall be:

• Labor Code of the Republic of Belarus and other acts of legislation regulating labour and relations hereto related;

• tax and accounting legislation;

• Civil Code of the Republic of Belarus and other acts of legislation governing the conclusion, execution and termination of civil contracts;

• the Code of the Republic of Belarus on Culture;

• local legal acts regulating the creation of information resources and user services;

• other regulatory legal acts related to the activities of the Operator.

Personal data entities shall include:

• Operator’s employees, candidates for employment, as well as their close relatives and in-laws;

• users of the Operator, including users of the of the Central Scientific Library Named After Yakub Kolas of the National Academy of Sciences of Belarus csl.bas-net.by Internet site and other Internet sites of the Operator, information resources of the Operator, licensed information resources purchased by the Operator to provide remote access to them;

• authors of works or other individuals whose personal data is used in the creation of the Operator’s information resources;

• individuals when visiting the Operator;

• individuals whom the Operator has concluded (intends to conclude) civil contracts with;

• individuals whose personal data has been made publicly available by them, and their processing does not violate their rights and legitimate interests and complies with the requirements established by the legislation on personal data;

• local legal acts, other individuals who have expressed consent to the processing of their personal data by the Operator, or individuals whose personal data processing is necessary for the Operator to achieve the goals provided for by the law (to ensure implementation of the processing purposes specified in Chapter 2 of the Policy), regulating issues creation of information resources and user services.

4.1. The content and volume of personal data of each category of entities shall be determined by the need to achieve the specific purposes of their processing, as well as the need for the Operator to exercise its rights and obligations, as well as the rights and obligations of the corresponding entity.

4.2. The list of personal data processed by the Operator shall be determined in accordance with the legislation of the Republic of Belarus, local acts, the achievement of set goals and shall include:

• identification number;

• surname, given name, patronymic (if any);

• sex;

• day, month, year of birth;

• place of birth;

• face image (photo, video);

• data on citizenship (nationality);

• data on registration at the place of residence and (or) place of stay;

• on the marital status, spouse, child (children) of an individual;

• data on education, academic degree, academic title;

• medical data;

• number and series of state social insurance certificate;

• mobile phone, home phone;

• place of study (faculty, course, form of study);

• place of work, position;

• e mail;

• others.

4.3. Personal data shall not be only information that directly identifies or allows the identification of an individual, but also the information that, together with other available or accessible information, can be reasonably likely to be used to identify an individual (e-mail, cookie, IP address, etc.).

4.4. The Operator shall not process special categories of personal data relating to race, health status unless otherwise provided by law.

5.1. The personal data processing shall be implemented by the Operator with the consent of the personal data entity for the processing of his personal data unless otherwise provided by the legislation of the Republic of Belarus.

The consent of the personal data entity can be obtained in writing by signing a separate document (sample consent is attached in Appendix No. 1), in the form of an electronic document or in another electronic form (by putting the appropriate mark on the website), as well as in another way that allows you to establish the fact of obtaining the consent of the personal data entity.

Should it be necessary to change the initially stated purposes of processing personal data, the Operator shall obtain the consent of the personal data entity to process his personal data in accordance with the changed purposes of processing personal data in the absence of other grounds for processing.

5.2. The Operator shall not disclose nor distribute personal data to third parties without the consent of the personal data entity unless otherwise provided by the legislation of the Republic of Belarus.

5.3. The processing of personal data shall be implemented by the Operator’s employees, whose job responsibilities include the personal data processing for the stated purposes.

5.4. Processing of personal data, including collection, systematisation, storage, modification, use, depersonalisation, blocking, distribution, provision, deletion by the Operator, shall be implemented in the following ways:

• using automation tools;

• without the usage of automation tools (on paper).

5.5. In some cases, the Operator may entrust the processing of personal data to an authorised person on the basis of a concluded agreement.

5.6. The Operator shall process personal data using automation tools when using the following software:

• Automated library information system of the Central Scientific Library of the National Academy of Sciences of Belarus;

• “Consolidated electronic catalogue of libraries in Belarus”;

• “Accountant’s world” software package;

• “Automated information support system for bibliometric assessment of scientific productivity and performance of research organisations and scientists” (AS BONUS);

• “Electronic catalogue of documents” database;

• Automated system for selective dissemination and electronic delivery of scientific information of the automated system for selective information dissemination of the Central Scientific Library of the National Academy of Sciences of Belarus;

• “Study of reading and book publishing in Belarus” database;

• “Bibliography of scientists of the National Academy of Sciences of Belarus” database;

• Virtual help desk;

• Electronic document delivery service;

• Repository of the Central Scientific Library of the National Academy of Sciences of Belarus;

• Central Scientific Library Named After Yakub Kolas of the National Academy of Sciences of Belarus website;

• Central Scientific Library of the National Academy of Sciences of Belarus “Eco Info” website;

• also, services for remote access to licensed information resources; and others.

5.7. The source of information about personal data shall be directly represented by the personal data entity, as well as information obtained from open sources. The Operator has the right to receive personal data of the personal data entity from third parties only upon notification of this to the entity or with the written consent of the entity to receive his personal data from third parties.

5.8. When storing personal data, the Operator shall comply with the conditions ensuring the safety of personal data.

5.9. Documents including personal data contained on paper, with the exception of documents related to library collections, shall be located in specially designated places with limited access under conditions that ensure their protection from unauthorised access.

5.10. Personal data stored electronically shall be protected from unauthorised access using special technical and software protection tools.

5.11. Personal data storage shall be implemented in a form that allows identification of the personal data entity, but no longer than required by the purposes of their processing unless another period is established by the legislation of the Republic of Belarus or an agreement to which the personal data entity is a party, beneficiary or guarantor.

5.12. Unless otherwise provided by law, the processed personal data shall be subject to destruction or depersonalisation upon achievement of the processing goals, in the event of the loss of the need to achieve these goals or upon expiration of their storage period.

5.13. The destruction or depersonalisation of personal data shall be implemented in a manner that precludes further processing of this personal data. At the same time, if necessary, it is necessary to retain the ability to process other data recorded on the appropriate material medium.

5.14. Should it be necessary to destroy or block part of personal data, a material medium shall be destroyed or blocked with preliminary copying of information that is not subject to destruction or blocking, in a manner that precludes simultaneous copying of personal data entity to destruction or blocking.

6.1. The personal data entity has the right to:

• receive information regarding the processing of his personal data in the manner, form and within the time frame established by the legislation on personal data;

• receive information about providing your personal data to third parties in accordance with the legislation on personal data;

• demand termination of its personal data processing should there be no grounds for processing personal data;

• demand changes to its personal data should it be incomplete, out of date or inaccurate;

• demand the deletion (anonymisation) of its personal data, its blocking, should the personal data be illegally obtained, be unnecessary for the stated processing purpose, or be used for purposes not previously stated when the personal data entity provided consent to the personal data processing unless this contradicts legislation;

• take measures provided for by law to protect its rights;

• withdraw its consent to the personal data processing.

6.2. The Operator has the right:

• process personal data of the personal data entity in accordance with the stated purpose;

• demand the personal data entity to provide reliable personal data necessary for the execution of the contract, identification of the personal data entity, as well as in other cases provided for by the legislation on personal data;

• process publicly available personal data of individuals;

• process personal data subject to publication or mandatory disclosure in accordance with the law;

• entrust the processing of personal data to an authorised person provided that effective protection means are provided by a third party.

6.3. The Operator shall:

• explain to the personal data entity its rights related to the personal data processing;

• obtain the consent of the personal data entity, except for cases determined by Law No. 99-З and other legislative acts;

• provide the personal data entity with information regarding the processing of its personal data, as well as the provision of its personal data to third parties, with the exception of cases determined by Law No. 99-З and other legislative acts;

• introduce amendments to personal data that is incomplete, outdated or inaccurate, except in cases specified by Law No. 99-З and other legislative acts;

• stop processing personal data, as well as delete or block it (ensure the termination of personal data processing, as well as its deletion or blocking by an authorised person) in the absence of grounds for processing personal data;

• make an amendment, block or deletion of unreliable or illegally obtained personal data of the personal data entity at the request of the authorised body for the protection of the rights of personal data entities;

• take legal, organisational and technical measures to ensure the protection of personal data from unauthorised or accidental access to it, modification, blocking, copying, distribution, provision, deletion of personal data, as well as from other unlawful actions in relation to personal data;

• perform other duties provided for by law.

The Operator may implement cross-border transfer of personal data to the territory of foreign countries that provide an adequate level of the rights protection of personal data entities.

Cross-border transfer of personal data shall be prohibited should the appropriate rights protection level of personal data entities be not ensured on the territory of a foreign state, except for the cases established by Art. 9 of Law No. 99 З.

8.1. To implement internal control over the personal data processing, a responsible person shall be appointed.

The person responsible for implementing internal control over the personal data processing shall perform the following functions:

• monitoring the activities of the Operator’s structural divisions regarding compliance with requirements for the personal data processing and protection;

• The Operator’s structural divisions activities coordination regarding the processing and personal data protection;

• organising the local legal acts development regulating issues regarding the processing of personal data.

8.2. The Operator shall ensure the application of measures to protect personal data from unauthorised or accidental access to it, deletion, modification, blocking, copying, personal data distribution, as well as other unlawful actions in relation to personal data.

8.3. When processing personal data, the Operator shall ensure their protection and implement the following measures:

• publication of documents defining the Operator’s policy regarding the personal data processing;

• familiarising employees directly involved in the personal data processing with the provisions of the legislation on personal data, conducting training;

• establishing the procedure for access to personal data, including those processed in the information resource;

• implementation of technical and cryptographic personal data protection in the manner established by the Operational Analytical Centre under the President of the Republic of Belarus, in accordance with the classification of information resources containing personal data;

• unlimited access, including using the global computer network Internet, to documents defining the Operator’s policy regarding the personal data processing before such processing is started;

• termination of personal data processing should there be no grounds for their processing;

• immediate notification of the authorised body for the personal data entities rights protection about violations of personal data protection systems;

• limiting the personal data processing to the achievement of specific, pre-declared legitimate purposes;

• personal data storage in a form that allows identification of the personal data entities for no longer than required by the stated purposes of processing personal data.

9.1. Persons guilty of violating Law No. 99-З shall bear responsibility as provided for by legislative acts.

9.2. Employees and other persons guilty of violating this Policy, as well as the legislation of the Republic of Belarus in the field of personal data, may be subject to disciplinary and financial liability in the manner established by the Labor Code of the Republic of Belarus, and may also be subject to civil, administrative and criminal liability in the manner established by the legislation of the Republic of Belarus.