PERSONAL DATA

PROCESSING POLICY

Last Updated: 10 March 2025.

1. GENERAL PROVISIONS

  1. 1.1.  This Personal Data Processing Policy (hereinafter – the Policy) defines the activities of Fabros LLC, registered at: Republic of Belarus, 220062, Minsk, Pobediteley Avenue 106, Office 300 (hereinafter – the Operator) with respect to the processing of personal data of all categories of personal data subjects (hereinafter collectively – the Data Subjects), with the exception of: (1) the Operator’s employees and their family members, (2) users of the Operator’s mobile applications, as well as (3) users of the Operator’s online platform available at: https://bee-freelancer.com.

  2. 1.2.  This Policy has been developed in accordance with the requirements of the Law of the Republic of Belarus dated May 7, 2021 No. 99-Z "On the Protection of Personal Data" (hereinafter – the Personal Data Law) for the purpose of ensuring the protection of the rights and freedoms of individuals in the processing of their personal data, including the protection of the rights to privacy, and personal and family confidentiality.

  3. 1.3.  The Policy clarifies how and for what purposes personal data is collected, used, or otherwise processed by the Operator, as well as sets forth the duties, rights, and mechanisms for their exercise available to the Data Subjects in this regard.

  4. 1.4.  The terms defined in Article 1 of the Personal Data Law are used in this Policy with the same meaning.

  5. 1.5.  Control over the implementation of the requirements of this Policy is carried out by the person responsible for internal control over the processing of personal data at the Operator, i.e. the Data Protection Officer (hereinafter – the DPO).

2. CATEGORIES OF DATA SUBJECTS, LIST OF PROCESSED DATA, PURPOSES, LEGAL BASES, AND PROCESSING PERIODS

  1. 2.1.  This Policy applies to the processing by the Operator of the personal data of the following categories of Data Subjects:

    • (1) Job applicants,

    • (2) Visitors of the Operator’s office,

    • (3) The Operator’s partners, and their representatives (contact persons and employees),

    • (4) Shareholders of the Operator,

    • (5) Affiliated persons of the Operator,

    • (6) Individuals who have contacted the Operator or registered for an in-person appointment.

  2. 2.2.  The Operator processes personal data for the purposes, in the volume, on the legal bases, and for the periods applicable to each category of Data Subjects, as specified in Annex 1 to this Policy.

  3. 2.3.  The volume of processed personal data indicated in Annex 1 for each purpose is non-exhaustive and may include other data provided by the Data Subjects to the Operator on their own initiative, in accordance with the requirements of the legislation, as well as for the fulfillment of mutual rights and obligations.

  4. 2.4.  Operator does not process personal data concerning race or ethnic origin, political opinions, membership in trade unions, religious or other beliefs, health or sex life, involvement in administrative or criminal liability, or genetic personal data, except in cases where the Data Subject has provided such data to the Operator voluntarily or when they have become known to the Operator in cases permitted by law.

  5. 2.5.  The processing of personal data by the Operator includes the following actions: collection, compilation, storage, transmission (including cross-border transmission), alteration, use, anonymization, blocking, provision, deletion, and other actions in accordance with Belarusian law.

  6. 2.6.  Operator stores personal data for no longer than necessary to fulfill the purposes of processing. If the retention period is not established by Belarusian law, the Operator determines it independently in accordance with the purposes of processing. The retention periods for personal data are specified in Annex 1 to this Policy.

    7. 3. PERSONAL DATA TRANSMISSION

    1. 3.1.  Operator is entitled to engage third parties for the processing of personal data if it is necessary for the purposes specified in Annex 1 to the Policy. Some of these parties act as independent controllers, while others serve as processors.

      • (1) Third parties – controllers independently determine the purposes, methods, volume of data processing, and the retention periods (for example, insurance companies when insuring employees’ medical expenses, banks when processing payments). The Operator cannot control the processing of personal data by these parties and is not responsible for their actions while processing the data.

      • (2) Third parties – processors act exclusively in accordance with the instructions and purposes of the Operator, in which case the Operator is responsible for the processing of the personal data transmitted to these third parties (for example, hosting and cloud data storage services, etc.).

    2. 3.2.  Operator maintains records of its processors.

    3. 3.3.  Some of the third parties engaged by the Operator for the processing of personal data are located in foreign states (cross-border data transmission).

    4. 3.4.  Cross-border transmission of personal data to another country may be carried out by the Operator in the following cases:

      • (1) if in the foreign country there is an adequate level of protection for the rights of Data Subjects (the list of such countries is determined by the order of the National Center for the Protection of Personal Data of the Republic of Belarus);

      • (2) if the processing of personal data is necessary for the performance of the obligations (or authorities) provided for by legal acts (in particular, if the processing of data is necessary for the performance of an employee’s assigned work function);

      • (3) if the personal data have been obtained on the basis of a contract concluded (or being concluded) with the Data Subject for the purpose of carrying out actions specified in that contract;

      • (4) upon the Data Subject’s consent, provided the Data Subject has been informed of the risks arising due to the lack of an adequate level of data protection in the foreign country where the data are transferred.

    5. 3.5.  Personal data may also be transmitted by the Company to authorized governmental bodies and organizations if such disclosure is required under applicable law (including upon the request of the relevant authority).

    4. MEASURES TO ENSURE THE PROTECTION OF PERSONAL DATA

    1. 4.1.  Operator undertakes the necessary legal, organizational, and technical measures to ensure the protection of personal data from unauthorized or accidental access, alteration, blocking, copying, distribution, provision, deletion, as well as from other illegitimate actions regarding personal data.

    2. 4.2.  In particular, Operator:

      • (1) Controls access to its office premises;

      • (2) Restricts access to personal data among its employees and third parties;

      • (3) Provides its employees with a secure system for storing access passwords to the Operator’s work systems and resources;

      • (4) Ensures the backup of data;

      • (5) Regularly updates software and operating systems;

      • (6) Monitors the proper processing of personal data (in particular, by appointing a person responsible for such monitoring);

      • (7) Adopts documents that define the Operator’s policy regarding the processing of personal data;

      • (8) Informs employees and other persons directly involved in the processing of personal data about the applicable laws on personal data, including the requirements for protecting personal data, as well as about the documents defining the Operator’s policy regarding the processing of personal data, and provides training for these employees and other persons as required by law;

      • (9) Regularly monitors compliance with Belarusian law on data protection and this Policy.

      3. 5. RIGHTS OF DATA SUBJECTS

    3. 5.1.  Data Subject is entitled to:

      • (1) if his/her data is processed based on consent, withdraw the consent to processing at any time without providing any reasons;

      • (2) receive from the Operator information regarding the processing of their personal data;

      • (3) request that the Operator make changes to his/her personal data in the event that such data is incomplete, outdated, or inaccurate;

      • (4) receive from the Operator information about the disclosure of their personal data to third parties once per calendar year free of charge, unless otherwise provided by law;

      • (5) request from the Operator the free cessation of processing of their personal data, including deletion, if there are no grounds for processing of such data;

      • (6) appeal against the actions (or inaction) and decisions of the Operator that violate the rights of the Data Subject to the authorized body for the protection of Data Subjects (the National Center for Personal Data Protection of the Republic of Belarus, https://cpd.by), while the decision of that authorized body may be appealed in court;

      • (7) demand compensation for material and moral damages and for losses incurred as a result of violations of rights established by personal data legislation.

    4. 5.2.  In order to exercise the aforementioned rights, the Data Subject must submit an application to the Operator in writing (either by postal mail or in person) or in the form of an electronic document (i.e., signed with an electronic digital signature). In general, the application must contain:

      • (1) surname, first name, and patronymic (if applicable), the address of residence (or place of stay);

      • (2) date of birth;

      • (3) identification number, or if no such number exists, the number of the identity document;

      • (4) nature of the request;

      • (5) personal signature or electronic digital signature.

    5. 5.3.  Application processing timeframes under the law are as follows:

      • (1) 5 working days - for requests for information regarding the processing of personal data;

      • (2) 15 calendar days - for all other applications.

    6. 5.4.  For assistance with exercising their rights related to the processing of personal data by the Operator, the Data Subject may contact the Operator by sending a message to the following email address: privacy@fabros.by.

    6. MISCELLANEOUS

    1. 6.1.  Matters concerning the processing of personal data not specified in this Policy are governed by Belarusian law.

    2. 6.2.  If any provision of this Policy is found to be in conflict with the law, the remaining provisions that comply with the law shall remain in force and valid, and any invalid provision shall be deemed removed or modified to the extent necessary to ensure its compliance with the legislation.

    3. 6.3.  Operator reserves the right to modify and/or supplement the terms of this Policy at any time at its discretion.

    4. 6.4.  Operator's contact details for issues related to personal data processing: privacy@fabros.by.

    Annex 1

    PURPOSES, SCOPE, LEGAL BASES, AND RETENTION PERIODS

    for the processing of personal data by the Operator

    Purposes for Data Processing

    Categories of Data Subjects

    List of Processed Personal Data

    Legal Bases for Processing

    Retention Period

    1

    2

    3

    4

    5

    Video surveillance: control of visitor access to the Operator's office premises, for the purpose of protecting the Operator's property and confidential information

    Operator’s visitors

    Images of Data Subjects

    Processing is necessary for the performance of duties (or the exercise of powers) provided by legislative acts

    60 days

    Evaluation of a potential candidate for subsequent employment

    Job applicants

    - Surname, first name, and patronymic
    - Details about work experience
    - Information about education
    - Other information provided by the candidate, including:
    in the CV,
    on specialized job search resources (websites) such as (rabota.by, LinkedIn)
    during the interview
    - Salary expectations

    - If the Operator receives information from open resources (job search websites such as (rabota.by, LinkedIn) - processing of data that has been previously disseminated
    - If the Operator receives a CV via email – processing based on the Data Subject's consent
    - If the Data Subject submits a CV through an online form on the Operator’s website – processing based on the Data Subject's consent
    - If the Operator receives data through personnel/recruitment agencies – the respective agency obtains the consent

    - 1 year in case of non-employment
    - If employed, until the termination of the employment relationship

    Handling requests of individuals and legal entities

    Person submitting the inquiry or its representative

    - Surname, first name, and patronymic
    - Contact details (phone, email)
    - Content of the request
    - Other data provided in the request

    Processing is necessary for the fulfillment of obligations provided by legislative acts

    5 years

    Personal appointments for citizens (including registration for a personal appointment)

    Person registered for (or attending) a personal appointment

    - Surname, first name, and patronymic
    - Contact details (phone, email)
    - Content of the request

    Processing is necessary for the fulfillment of obligations provided by legislative acts

    5 years

    Conclusion, execution, amendment, and termination of contracts

    Persons who are a party to the contract, its representatives, or contact persons

    For contracts with a legal entity:
    - Full name, position, and contact details of the representatives

    For contracts with an individual entrepreneur:
    - Surname, first name, and patronymic
    - Registration number
    - Registered address
    - Contact details (email, telephone, etc.)
    - Amount of remuneration
    - Account details for payment of the remuneration

    For contracts with natural persons:
    - Surname, first name, and patronymic
    - Registered address (residence address)
    - Data from the identity document
    - Contact details (email, telephone, etc.)
    - Amount of remuneration
    - Bank details or card/account details for payment of the remuneration

    - Citizenship
    - Gender
    - Date of birth
    - Place of birth
    - Social insurance number

    Processing is based on a contract concluded (or being concluded) with the Data Subject for the purpose of performing the actions stipulated in that contract./p>

    Processing is necessary for fulfilling obligations provided by legislative acts (such as payment of personal income tax, contributions to state social insurance, and other mandatory payments, submission of personalized accounting forms, etc.)

    For the duration of the contract and for 3 years following an audit by the tax authorities, and if such an audit is not conducted – for 10 years after contract termination

    Interaction with shareholders (dividend payments, providing shareholders information to government bodies/organizations and banks, holding general meetings of shareholders)

    Shareholders

    - Surname, first name, and patronymic
    - Date of birth
    - Registered address
    - Passport details
    - Contact details (telephone, email)
    - Bank account details for dividend payment

    Processing is necessary for the fulfillment of obligations provided by legislative acts

    Until the Operator’s dissolution

    Keeping records of affiliated and related persons (control of transactions with those persons)

    Affiliated and related persons

    - Surname, first name, and patronymic
    - Passport details
    - Indicator of affiliation
    - Ownership of shares in the charter funds of other organizations
    - Holding a position in the management bodies of other organizations

    Processing is necessary for the fulfillment of obligations provided by legislative acts

    Until the Operator’s dissolution

    Operation of the website www.fabros.by

    Website visitors

    Cookies:

    - http-cookie, a server-side cookie without which the website cannot display correctly;

    - fabros_session, which ensures the preservation of the preferred language (by default, English is set; if the visitor selects Russian, the cookie saves this choice)

    Processing is necessary for the proper functioning of the website

    fabros_session – 1 year,

    http-cookie - 2 days

    Annex 2

    LIST OF AUTHORIZED PERSONS

    processing personal data on behalf of the Operator

     

    Authorized person

    Subject of the contract

    Country of registration

    1

    Yandex Cloud LLC

    cloud data storage

    Russia

    2

    Human System LLC

    accounting software

    Belarus

    3

    Google Ireland Limited

    Google Workspace (solution suite: email, file storage)

    Ireland

    4

    Slack Technologies Limited

    Slack (software for electronic communication)

    Ireland

    5

    Attlassian Pty Ltd

    Jira, Confluence, Bitbucket (software for team collaboration and project management)

    Australia

    6

    Docusign, Inc.

    Docusign (software for electronic document signing)

    USA

    7

    Adria Group LLC

    translation services

    Belarus

    8

    ITJob LLC

    personnel recruitment services (recruitment agency)

    Belarus

    9

    Oksee Team LLC

    personnel recruitment services (recruitment agency)

    Belarus

    10

    StaffBy LLC

    personnel recruitment services (recruitment agency)

    Belarus
  • Fabros logo 106 Pobediteley ave., office 300, 220062 Minsk, Belarus

Apple, the Apple logo, iPhone, and iPad are trademarks of Apple Inc., registered in the U.S. and other countries and regions. App Store is a service mark of Apple Inc. Google Play and the Google Play logo are trademarks of Google LLC.

© 2025 Fabros