Personal Data Processing Policy of JV Pharmland LLC

APPROVED
By the order of Acting
General Director
No. 109 dated 22 June 2023

PERSONAL DATA PROCESSING POLICY OF BELARUSIAN-DUTCH JOINT VENTURE PHARMLAND LIMITED LIABILITY COMPANY

General Provisions

1.1. The Personal Data Processing Policy of Belarusian-Dutch Joint Venture PHARMLAND Limited Liability Company (JV Pharmland LLC), 222603, Nesvizh, Minsk Region, 124 Leninskaya Str., bld. 3 (hereinafter referred to as the “Policy”) has been developed in compliance with the requirements of paragraph 3 of Clause 3 of Article 17 of the Law of the Republic of Belarus No. 99-Z dated 07 May 2021 “On the Protection of Personal Data” (hereinafter referred to as the “Law on Personal Data”), taking into account the requirements of the Constitution of the Republic of Belarus, legislative and other regulatory legal acts of the Republic of Belarus in the field of personal data aimed to ensure the protection of the rights and freedoms of person and citizen when processing their personal data, including the protection of the rights to privacy, personal and family secrets.

1.2. The Policy applies to all personal data processed by JV Pharmland LLC (hereinafter referred to as the “Operator”) and is binding on all employees of the Operator who are engaged in the processing of personal data.

1.3. The Policy applies to relationships in the field of personal data processing that arose with the Operator both before and after approval of the Policy.

1.4. For the purposes of this Policy, the terms used herein shall have the meanings set forth in the Law on Personal Data.

Purposes and lawful grounds for Personal Data Processing

2.1. Processing of personal data shall be limited to the achievement of specified, explicit, and legitimate purposes. Processing of personal data that is not carried out in accordance with the purposes for which personal data is collected is not permitted.

2.2. Only those personal data that meet the purposes for which personal data is processed shall be subject to processing.

2.3. The Operator shall perform processing of personal data for the following purposes:

— ensuring compliance with the legislation of the Republic of Belarus, including in the exercise of functions, powers and obligations in the field of pharmacovigilance, such as, but not limited to, in identifying adverse reactions to medicinal products manufactured by the Operator and released into circulation in the territory of the Republic of Belarus;

— implementation of the Operator’s activities in accordance with its Articles of Association;

— implementation of functions, powers and duties imposed by the legislation of the Republic of Belarus on the Operator, including the provision of personal data to government bodies, the Social Security Fund of the Ministry of Labour and Social Protection of the Republic of Belarus, as well as other government bodies;

— formalization of labour (official) relations with the Operator’s employees (assistance in employment, personnel records management, military records management; individual (personalized) records management of the Operator’s employees; labour protection; accrual and transfer of wages, assignment and payment of benefits; training, hotel reservations, reservation and purchase of tickets when sending employees on business trips, issuance of certificates, powers of attorney, preparation of business cards, preparation of references, ensuring personal security, ensuring the safety of property, including through video surveillance);

— implementation by the users of access rights (including completing the registration procedure) to information systems (resources) owned (held by) the Operator, services provided on their basis, including services on the official website of the Operator on the Internet global computer network (www.pharmland.by) (hereinafter referred to as the “Internet Resource”);

— implementation of claims and litigation work, including the execution of judicial acts, acts of other bodies or officials subject to execution in accordance with the legislation of the Republic of Belarus on enforcement proceedings;

— consideration of applications filed by subjects of personal data within the framework of legislation in the field of citizens’ appeals;

— ensuring access control at the Operator’s facilities;

— execution and submission of relevant reporting forms to executive authorities and other authorized organizations;

— implementation of civil law relations, including the execution of contracts to which the subject of personal data is a party;

— maintenance of accounting records and preparation of tax reporting;

— creation of reference materials for internal information support of the Operator’s activities, including for the compilation and use of a working telephone directory containing numbers of personal mobile phones;

— placement of personal data of employees on the Operator’s website, in social networks, in the media for the purpose of performing work functions for the Operator, including as a result of the employee’s participation in the cultural and mass events held by the Operator;

— holding sports, mass sports, entertainment and other events, including corporate events, compilation of lists of gift recipients, events participation lists, awards lists;

— for other purposes that do not contradict the law.

2.4. The legal basis for the processing of personal data is a set of regulatory legal acts, in pursuance of which and in accordance with which the Operator performs processing of personal data, including, but not limited to:

— Constitution of the Republic of Belarus;

— Civil Code of the Republic of Belarus;

— Labour Code of the Republic of Belarus;

— Tax Code of the Republic of Belarus;

— Law “On Information, Informatisation and Information Protection”;

— Law “On the Protection of Personal Data”;

— Law “On the Circulation of Medicines”;

— other regulatory legal acts governing relations related to the activities of the Operator.

2.5. The lawful grounds for personal data processing also include:

— Operator’s Articles of Association;

— agreements concluded between the Operator and subjects of personal data;

— consent of subjects of personal data to the processing of their personal data.

Categories of Subjects of Personal Data

3.1. The content and scope of processed personal data shall correspond to the stated purposes for which personal data are processed, as set forth in Section 2 of the Policy. The processed personal data shall not be excessive in relation to the stated purposes for which personal data are processed.

3.2. The Operator shall process the below-mentioned personal data of the following categories of subjects of personal data:

3.2.1. employees of the Operator, including those dismissed, as well as their relatives:

— last name, first name, patronymic;

— sex;

— date, month, year of birth;

— place of birth;

— digital portrait image;

— information contained in questionnaires and biographical data;

— information about citizenship (nationality);

— information about the details of documents confirming the personal data of specific subjects of personal data (document name, series, number, date of issue (acceptance), validity period, name of the organization that issued (accepted) the document), identification number;

— information about registration at the place of residence and/or place of stay;

— information about the death or declaration of a natural person as deceased, recognition as missing, incapacitated, or having limited capacity;

— contact details (telephone number, e-mail address);

— information about occupation;

— information about education and/or training, academic degree, academic title, qualification, additional education, passed certifications, qualification category;

— information about work and other experience, insurance certificate;

— information about the family composition, parents, guardians, trustees, marital status, spouse, child (children) of a natural person;

— information about health status;

— information about employment contract;

— information about the performance of military duty;

— information about income and property;

— information about disability, rehabilitation program;

— information about social benefits;

— information about the place of work and/or study of family members;

— information about the content of personal files, work record books, personalized accounting documents, and work activities;

— information about the content of personnel orders;

— information about criminal record;

— information about the content of reports submitted to statistical authorities;

— other information (the above list may be shortened or expanded depending on the specific case and purposes for which personal data are processed);

3.2.2. candidates for employment;

— last name, first name, patronymic;

— sex;

— date, month, year of birth;

— place of birth;

— digital portrait image;

— information contained in questionnaires and biographical data;

— information about citizenship (nationality);

— information about registration at the place of residence and/or place of stay;

— contact details (telephone number, e-mail address);

— information about education and/or training, academic degree, academic title, qualification, additional education, passed certifications, qualification category;

— information about work and other experience;

— information about marital status and family composition;

— information about the performance of military duty;

— information about disability;

— information about social benefits;

— information about criminal record;

— other personal data provided by the candidate in the CV;

3.2.3. the Operator’s counterparties (natural persons);

— last name, first name, patronymic;

— date, month, year of birth;

— place of birth;

— information about registration at the place of residence and/or place of stay;

— information about current account number, card account number;

— contact details (telephone number, e-mail address);

— other personal data necessary for the conclusion and execution of civil law contracts;

3.2.4. representatives (employees) of the Operator’s counterparties (legal entities);

— last name, first name, patronymic;

— contact details (telephone number, e-mail address);

— information about position held;

— other personal data necessary for the performance of the functions of representative of the Operator’s counterparty;

3.2.5. citizens who submitted applications to the Operator;

— last name, first name, patronymic;

— information about registration at the place of residence and/or place of stay;

3.2.6. consumers;

— last name, first name, patronymic;

— sex;

— age;

— other personal data, genetic and biometric personal data, consent for the processing of which was received from the subject of personal data or became known to the Operator in accordance with the legislation of the Republic of Belarus;

3.2.7. other subjects of personal data whose interaction with the Operator creates the need for the processing of their personal data to ensure the implementation of the purposes for which personal data are processed, which are specified in this Policy.

3.3. The content and scope of personal data of each category of subjects of personal data is determined by the need to achieve specific purposes for which personal data are processed, as well as the need for the Operator to exercise its rights and obligations, as well as the rights and obligations of the relevant subjects of personal data.

3.3. The Operator shall perform processing of biometric personal data (for example, photographs) in accordance with the legislation of the Republic of Belarus.

3.4. The Operator shall perform processing of special personal data concerning racial, national origin, political views, religious or philosophical beliefs, health status, intimate life solely with the consent of the subject of personal data to the processing of their personal data, such as, but not limited to, within the framework of the pharmacovigilance system, with the exception of cases stipulated by the legislation of the Republic of Belarus.

Basic Rights and Obligations of the Operator

4.1 The Operator shall be entitled:

— to independently determine the composition and list of measures necessary and sufficient to ensure the fulfilment of obligations stipulated by the Law on Personal Data and regulatory legal acts adopted in accordance with it, unless otherwise provided by law;

— in the event of withdrawal of consent of a subject of personal data to the processing of their personal data, the Operator shall be entitled to continue processing of such personal data without the consent of the subject of personal data in the presence of appropriate grounds specified in the Law on Personal Data.

The Operator shall be entitled to entrust the processing of personal data on its behalf or in its interests to an authorized person only on the basis of a contract (agreement) concluded with such an authorized person, which shall determine:

— the specific purposes for which personal data are processed;

— the list of actions that will be performed with personal data by an authorized person;

— an obligation of the authorized person to comply with the principles and rules for personal data processing provided for by this Policy and the legislation of the Republic of Belarus;

— obligations to maintain the confidentiality of personal data;

— measures to ensure the protection of personal data provided for in Article 17 of the Law on Personal Data.

In the event that the Operator entrusts the processing of personal data to an authorized person, the Operator shall be responsible to the subject of personal data for the actions of the said authorized person. The authorized person shall be responsible to the Operator. In particular, the authorized person of the Operator, which, in accordance with legislative acts, performs personal data processing, is the state institution State Pharmaceutical Supervision in the Sphere of Circulation of Medicines Gosfarmnadzor.

4.2 The Operator is obliged to:

— organize the processing of personal data in accordance with the requirements of the Law on Personal Data and ensure their protection in the process of their processing;

— respond to requests and inquiries from subjects of personal data in accordance with the requirements of the Law on Personal Data;

— report to the authorized body for the protection of the rights of subjects of personal data about violations of personal data protection systems immediately, but no later than 3 (three) working days after the Operator became aware of such violations;

— stop processing of personal data, as well as delete personal data (ensure that the processing of personal data is terminated and that it is deleted by an authorized person) and notify the subject of personal data about this within 15 (fifteen) days after receiving the application from the subject of personal data. If it is not technically possible to delete personal data, the Operator is obliged to take measures to prevent further processing of personal data, including blocking personal data, and notify the subject of personal data about it within the same period;

— ensure compliance with the requirements of the authorized body for the protection of the rights of subjects of personal data to eliminate violations of the legislation on personal data, and also bears other obligations established by law.

Rights of Subjects of Personal Data

5.1. Subjects of personal data, unless otherwise provided by law, shall be entitled to:

— make a decision on the provision of their personal data to the Operator;

— receive information regarding the processing of their personal data;

— introduce changes to their personal data in the event that the personal data is incomplete, outdated or inaccurate;

— withdraw consent to the processing of their personal data at any time, without giving any reasons;

— obtain information about the provision of their personal data to any third parties;

— demand free termination of the processing of their personal data, including the deletion of their personal data, in the absence of grounds for the processing of personal data provided for by legislative acts;

— appeal the actions (inactions) and decisions of the Operator that violate their rights in the course of personal data processing.

A person who has provided the Operator with incomplete, outdated, or inaccurate information about themself, or information about another subject of personal data without the latter’s consent, shall be held liable in accordance with the legislation of the Republic of Belarus.

5.2. To exercise the rights provided for in Paragraph 5.1 of the Policy, the subject of personal data shall submit an application to the Operator in writing or in the form of an electronic document.

The application of the subject of personal data shall contain:

— the last name, first name, patronymic (if any) of the subject of personal data, the address of their registered place of residence (place of stay);

— date of birth of the subject of personal data;

— personal identification number of the subject of personal data, or, in the absence of such number, the number of the identity document of the subject of personal data, in cases where this information was indicated by the subject of personal data when giving their consent to the Operator, or the processing of personal data is carried out without the consent of the subject of personal data;

— statement of the essence of demands of the subject of personal data;

— personal signature or electronic digital signature of the subject of personal data.

When the subject of personal data exercises their right to introduce changes to their personal data, they shall submit to the Operator an application executed in the manner established by this clause with the attachment of documents and/or their copies certified in the established manner, which confirm the need to introduce changes to the personal data. If the application of the subject of personal data does not reflect all the necessary information in accordance with the requirements of the Law on Personal Data or the subject of personal data does not have the right to access the requested information, then a reasoned refusal shall be sent to the subject of personal data. The subject of personal data may be refused provision of information in accordance with Paragraph 3 of Article 11 of the Law on Personal Data.

The response to the application shall be sent to the subject of personal data in such a form, which corresponds to the form in which the application has been submitted, unless otherwise specified in the application itself.

The period for the Operator to provide a response to the application of the subject of personal data regarding the withdrawal of their consent, introduction of changes to personal data and information on the provision of personal data to any third parties amounts to 15 (fifteen) days.

The period for the Operator to provide a response to the application of the subject of personal data regarding the provision of information concerning the processing of their personal data amounts to 5 (five) working days.

The above-mentioned periods shall be calculated starting from the day following the day of receipt of the application by the Operator.

Procedure and Conditions for Personal Data Processing. Storage Periods for Personal Data.

6.1. Personal data processing shall be carried out by the Operator in accordance with the requirements of the legislation of the Republic of Belarus.

The processing of personal data by the Operator includes the following actions with personal data: collection; systematization; storage; modification; use; depersonalization; distribution; provision; deletion and other actions in accordance with the legislation of the Republic of Belarus.

6.2. The processing of personal data shall be carried out with the consent of the subjects of personal data to the processing of their personal data, as well as without such consent in cases stipulated by the legislation of the Republic of Belarus.

The consent of the subject of personal data is a free, unambiguous, informed expression of their will, by which they permit the processing of their personal data.

The consent of the subject of personal data may be obtained in writing, in the form of an electronic document or in another electronic form, including, but not limited to, by checking the appropriate box on the Operator’s Internet Resource by the subject of personal data.

The subject of personal data express their consent to the processing of their personal data on the terms set out in this Policy and confirms that they have read this Policy and agree with its terms.

6.3. The Operator shall carry out both automated and non-automated processing of personal data.

6.4. Only employees of the Operator, whose job responsibilities include processing of personal data, are allowed to perform personal data processing.

6.5. The sources of obtaining personal data are:

— personal data provided directly by the subject of personal data in oral and/or written form;

— publicly available sources;

— personal data provided by third parties exclusively in accordance with the procedure established by law.

6.6. Disclosure to third parties and distribution of personal data without the consent of the subject of personal data is not permitted, unless otherwise provided by law.

6.7. The transfer of personal data to inquiry and investigation bodies, tax authorities, the Social Security Fund and other executive authorities and organizations shall be carried out in accordance with the requirements of legislation of the Republic of Belarus.

6.8. The Operator shall perform personal data processing taking into account the need to ensure the protection of the rights and freedoms of subjects of personal data, including the protection of the right to privacy, personal and family secrets, based on the following principles:

— the processing of personal data shall be carried out on a lawful and fair grounds;

— the processing of personal data shall be carried out in proportion to the stated purposes for which personal data are processed and ensure a fair balance of interests of all interested parties at all stages of such processing;

— the processing of personal data shall be limited to the achievement of specified, explicit, and legitimate purposes. The processing of personal data that is incompatible with the originally stated purposes for which personal data are processed is not permitted;

— the content and scope of processed personal data correspond to the stated purposes for which personal data are processed. The processed personal data shall not be excessive in relation to the stated purposes for which personal data are processed;

— the processing of personal data shall be transparent. The subject of personal data may be provided with relevant information regarding the processing of their personal data;

— The Operator shall take measures to ensure the accuracy of the personal data processed by it and update such personal data as the circumstances may require;

— personal data shall be stored in a form that allows identification of the subject of personal data, no longer than during the period required by the stated purpose for which personal data are processed.

— ensuring the destruction of personal data upon achievement of the purposes for which personal data are processed or in the event of loss of the need to achieve these purposes, unless otherwise provided by the legislation of the Republic of Belarus.

6.9. The Operator shall store personal data within the storage periods of the documents in which they are contained, and also no longer than required by the purposes for which personal data are processed, unless the personal data storage period is established by the legislation of the Republic of Belarus or by a relevant agreement.

Measures to Ensure the Protection of Personal Data During Their Processing

7.1. When processing personal data, the Operator shall take the necessary legal, organizational and technical measures to ensure their protection from unauthorized or accidental access, deletion, modification, blocking, copying, provision, distribution, as well as from other illegal actions in relation to personal data.

7.2. Ensuring the protection of personal data is achieved, among other things, by the following measures:

— identification of threats to the security of personal data in the process of their processing;

— adoption of local regulations and other documents governing relations in the field of processing and protection of personal data;

— creation of the necessary conditions for working with personal data;

— organization of work with information systems in which personal data is processed;

— organizing training for the Operator’s employees who are engaged in the processing of personal data;

— creation of appropriate conditions for the storage of personal data, which ensure the safety of personal data and exclude unauthorized access to personal data.

7.3. In the event that inaccurate personal data is detected upon the application of a subject of personal data or at their request or at the request of an authorized body for the protection of rights of subjects of personal data, the Operator shall block the unlawfully processed personal data related to such a subject of personal data from the moment of such application or receipt of the application (request).

Responsibility

8.1. In case of violation of the established procedure for the processing of personal data and ensuring the security of personal data, the persons responsible for the processing of personal data, employees of the Operator, shall be brought to disciplinary, administrative, civil or criminal liability in accordance with the legislation of the Republic of Belarus.

8.2. Control over compliance with the requirements of the Policy shall be carried out by the person responsible for organizing the processing of personal data by the Operator.

8.3. Responsibility for violation of the requirements of the legislation of the Republic of Belarus and the regulatory acts of the Operator in the field of processing and protection of personal data shall be determined in accordance with the legislation of the Republic of Belarus.

Final Provisions

9.1. Internal control over the Operator’s compliance with the legislation of the Republic of Belarus and Operator’s local regulations in the field of personal data, including requirements for the protection of personal data, shall be carried out by the person responsible for the implementation of internal control over the processing of personal data.

9.2. In compliance with the requirements of the Law on Personal Data, the Policy shall be made available to the general public on the Internet on the Operator’s website pharmland.by, and shall also be posted on the Operator’s information boards.

9.3. Any and all issues related to the processing of personal data, which are not specified in this Policy, shall be governed by the legislation of the Republic of Belarus.

9.4. The Operator shall be entitled, at its own discretion, to change and/or supplement the terms of this Policy without prior and/or subsequent notification of subjects of personal data by posting the relevant changes and/or additions on the Operator’s official website (information boards) in advance before such changes and/or additions come into force. Subjects of personal data shall independently obtain information about any changes and/or additions made on the Operator’s official website (information boards).