1. GENERAL PROVISIONS
1.1. The Personal Data Processing Policy of The Cult Hotel LLC “Z Z Corporation” (hereinafter – the Policy) has been developed in accordance with the Law of the Republic of Belarus of May 7, 2021 No. 99-Z “On Personal Data Protection” (hereinafter – the Law on Personal Data Protection) and other legislative acts of the Republic of Belarus, as well as the Charter of Z Z Corporation LLC, in order to ensure the protection of human rights and freedoms during the processing of their personal data. This Policy:
applies to the processing of personal data of subjects listed in clause 1.6 of the Policy;
explains to personal data subjects how and for what purposes their personal data are collected, used, or otherwise processed, and outlines their rights and the mechanisms for exercising those rights.
1.2. The Policy is an internal legal act of Z Z Corporation LLC (hereinafter – the Operator, Hotel, or Enterprise), governing relations related to the protection of personal data during their processing, carried out: using automation tools; or without the use of automation tools, if this allows searching for and/or accessing personal data according to specific criteria (card files, lists, databases, logs, etc.).
1.3. The Enterprise pays special attention to the protection of personal data during processing and respects the rights of personal data subjects. The processing of personal data by the Enterprise as the Operator is carried out in accordance with the Law on Personal Data Protection and this Policy.
1.4. The Policy does not apply to the processing of personal data: by individuals for purely personal, family, household, or similar non-professional purposes; or to personal data classified as state secrets in accordance with applicable law.
1.5. The terms and definitions used in this Policy have the meanings defined in Article 1 of the Law on Personal Data Protection.
1.6. The Policy also uses the following definitions:
Operator’s website – the official website of THE CULT Hotel at: https://www.thecult.by;
Operator’s social media accounts – the Operator’s accounts on social networks: Instagram (instagram.com/thecultboutique/); Facebook and others;
Counterparty – a legal entity or individual, including a sole proprietor, intending to conclude, concluding, or having concluded an agreement with the Enterprise;
Representative of a counterparty – a representative of a legal entity or sole proprietor intending to conclude, concluding, or having concluded an agreement with the Enterprise;
Other representative of a legal entity – an individual representing the interests of a legal entity: founders, shareholders, participants, management members, or other persons acting on behalf of or in the interest of the legal entity or sole proprietor (with or without a power of attorney), except for counterparties and their representatives;
Contractor – an individual intending to conclude, concluding, or having concluded and performing, or having previously performed, a civil contract with the Enterprise as the customer for specific work or services;
Employee – an individual in an employment relationship with the Enterprise under an employment contract (agreement);
Former employee – an individual previously in an employment relationship with the Enterprise;
Job applicant – an individual intending to provide, providing, or having provided personal data (e.g., via resume or otherwise) for employment purposes at the Enterprise, as well as any personal data collected and processed by the Enterprise for the same purpose;
Intern – an individual studying at an educational institution and sent for internship to the Enterprise, currently undergoing or having completed such internship at the Enterprise;
Other person contacting the Enterprise – an individual who has submitted an inquiry (application, proposal, or complaint) to the Enterprise in written, electronic, or oral form, attended a personal appointment, made an entry in the Guest Book of Comments and Suggestions, or applied for an administrative procedure;
Guest – an individual intending to order (purchase) and receive the Enterprise’s accommodation and related services at the Hotel for themselves or accompanying persons, or already receiving or having received such services, concluding (or having concluded) a paid service agreement with the Enterprise; the term “guest” also includes any person residing in the Hotel and receiving accommodation-related services;
Visitor – an individual who is not a guest but visits guests of the Hotel, attends Hotel events, the restaurant, or bar, or receives other Hotel services except accommodation and related services;
Subjects of personal data processed under this Policy include: counterparties (individuals, including sole proprietors), their representatives, other representatives of legal entities, contractors, employees, former employees, family members and relatives of employees, job applicants, their family members and relatives, interns, and other persons who have contacted the Enterprise.
1.7. The legal entity processing personal data is Z Z Corporation LLC, UNP 591037541, legal and postal address: 230005, Grodno, Gaspadarchaya Street 19 (the Enterprise / Operator).
1.8. This Policy enters into force upon approval and applies to all personal data processed by the Enterprise.
1.9. Pursuant to clause 4 of Article 17 of the Law on Personal Data Protection, this Policy is a publicly available document, accessible at the Enterprise and on its website, and allows any person to become acquainted with it.
1.10. The Enterprise, as the Operator, has the right to unilaterally amend or supplement this Policy, publishing the updated version at the Enterprise and on its website. Data subjects are responsible for reviewing updates at the Enterprise or on its website.
1.11. The Policy applies to the processing of personal data of data subjects listed in clause 1.6 of this Policy.
1.12. The requirements of the Law on Personal Data Protection and this Policy are mandatory for all employees and other persons directly involved in personal data processing.
1.13. General requirements for personal data processing at the Enterprise (processing principles):
1.13.1. Personal data processing shall be carried out in accordance with the Law on Personal Data Protection and other legislative acts;
1.13.2. Processing must be proportionate to the declared purposes and ensure a fair balance of interests for all parties throughout all stages;
1.13.3. Processing shall be based on the consent of the data subject, except where otherwise permitted by law. If processed without consent, purposes shall be established by the Law on Personal Data Protection and other legal acts;
1.13.4. Processing shall be limited to achieving specific, lawful, and pre-declared purposes. Processing incompatible with initial purposes is not allowed;
1.13.5. If initial purposes change, the Operator must obtain new consent from the data subject unless another legal basis applies;
1.13.6. The content and scope of processed data must correspond to the stated purposes and not be excessive;
1.13.7. Processing must be transparent. Accordingly, data subjects shall be provided with relevant information as required by law;
1.13.8. The Operator must ensure accuracy and, when necessary, update processed personal data;
1.13.9. Personal data shall be stored no longer than necessary to achieve the declared purposes.
2. PURPOSES, SCOPE, LEGAL GROUNDS AND RETENTION PERIODS OF PERSONAL DATA PROCESSING
2.1. The purposes of personal data processing at the Enterprise are based on the requirements of the legislation of the Republic of Belarus, the activities carried out by the Enterprise, the implemented business processes, and the provisions of contracts.
2.2. The Enterprise processes personal data of data subjects for the purposes, in the scope (list), on the legal grounds, and within the time limits defined in the Personal Data Processing Registers for each category of personal data subjects.
2.3. The processing of personal data shall be limited to achieving specific, pre-defined, and lawful purposes established in the Personal Data Processing Registers. The processing of personal data incompatible with the purposes of their collection is not permitted.
2.4. The content and volume of processed personal data, as well as the retention periods, shall correspond to the declared processing purposes set forth in the Personal Data Processing Registers. The processed personal data must not be excessive in relation to the declared purposes.
3. PROCEDURE AND CONDITIONS OF PERSONAL DATA PROCESSING BY THE OPERATOR
3.1. The processing of personal data by the Operator is carried out in accordance with the requirements of the legislation of the Republic of Belarus, both with and without the use of automation tools, ensuring the protection of the rights and freedoms of personal data subjects on a lawful and fair basis. Such processing is limited to achieving specific, pre-defined, and lawful purposes established in the Personal Data Processing Registers. During processing, the accuracy, sufficiency, and, when necessary, the relevance of personal data are ensured. The Operator shall take necessary measures to delete or correct incomplete or inaccurate data.
3.2. When processing personal data, the Operator shall not allow:
— processing incompatible with the purposes for which personal data were collected, as set out in the Personal Data Processing Registers;
— combining databases containing personal data that are processed for incompatible purposes;
— processing excessive personal data relative to the declared purposes.
3.3. Personal data processing by the Operator shall be based on the consent of the personal data subject, except as provided by Articles 6 and 8 of the Law on Personal Data Protection and other legislative acts (i.e., when other legal grounds exist).
3.4. Consent of the data subject is a free, specific, and informed expression of their will, allowing the processing of their personal data. Consent is provided in written form by personally signing a consent form developed by the Enterprise, which may specify the purposes, scope, and duration of data processing.
3.5. When providing consent to the Operator, the personal data subject indicates their surname, first name, patronymic (if applicable), date of birth, identification number, and, if absent, the number of the identity document, except where the purposes of processing do not require all of the above data.
3.6. According to Article 6 of the Law on Personal Data Protection, the consent of the personal data subject (except for special categories of personal data as defined by Article 8 of the Law) is not required in the following cases:
— for administrative and/or criminal proceedings, or operational-investigative activities;
— for the administration of justice, enforcement of court judgments, or execution of other legal documents;
— for supervisory (control) purposes as defined by legislative acts;
— for implementing laws on national security, anti-corruption, anti-money laundering, counter-terrorism, and non-proliferation of weapons of mass destruction;
— for electoral and referendum procedures, or recall of deputies in accordance with Belarusian legislation;
— for maintaining personalized accounting for state social insurance purposes, including professional pension insurance;
— for employment (service) relations or during the employment process when required by law;
— for notarial activities;
— for citizenship, refugee, asylum, or temporary protection matters;
— for the purpose of pension or allowance administration and payments;
— for official state statistical surveys and data collection;
— for scientific or research purposes under mandatory anonymization of personal data;
— for utility payment accounting, housing payments, or electricity cost reimbursement, as well as for applying benefits or recovering debts;
— when personal data are received under a contract with the data subject to perform actions defined by such contract;
— when data are contained in a document addressed to and signed by the data subject, in accordance with its content;
— for lawful professional journalistic or media activities aimed at protecting public interest, except as restricted by procedural law;
— for the protection of life, health, or other vital interests of the data subject or others, when obtaining consent is impossible;
— in respect of personal data that have already been made public until the subject requests termination of such processing and deletion, if no other legal grounds exist;
— when processing is required by law or authorized legislative acts;
— when the law expressly provides for processing without consent.
3.7. In accordance with Article 8 of the Law on Personal Data Protection, processing of special categories of personal data without consent is prohibited, except in the following cases:
— when such data have been made public by the data subject themselves;
— during employment or service relationships where permitted by law;
— for pension or allowance administration for certain public servants;
— by public associations, political parties, trade unions, or religious organizations, processing data of founders or members for statutory purposes, provided such data are not disclosed without consent;
— for the provision of medical care by authorized healthcare workers who are bound by medical confidentiality;
— for the administration of justice, enforcement of judgments, execution of notarial acts, or inheritance processing;
— for administrative or criminal proceedings, or operational activities;
— when required under national security, defense, anti-corruption, counter-terrorism, anti-extremism, or anti-money-laundering laws, or under laws on state borders, citizenship, migration, and asylum;
— for maintaining state crime registration systems;
— for forensic records and statistics purposes;
— for administrative procedures or under international readmission treaties;
— for population registration or documentation;
— for the protection of life, health, or other vital interests when consent cannot be obtained;
— when required by law or authorized legislative acts;
— when expressly permitted by the Law on Personal Data Protection or other legislative acts.
3.8. The processing of special personal data is permitted only if adequate measures are taken to prevent potential risks to the rights and freedoms of data subjects.
3.9. Even when processing is carried out without consent, in accordance with paragraph 6 of Article 4 of the Law on Personal Data Protection, the data subject has the right to know how and for what purposes their personal data are collected, used, transferred, or otherwise processed, and to obtain relevant information concerning such processing.
3.10. Personal data at the Enterprise are processed only by employees whose positions are included in the official list of authorized personnel, as well as by other persons granted access to data as prescribed by the Enterprise’s internal regulations.
3.11. Employees and other persons directly involved in data processing, or who have access to personal data, must comply with the legislation on personal data protection and the internal legal acts of the Enterprise.
3.12. The Enterprise may delegate the processing of personal data to an authorized party under a contract, legislative act, or government decision, provided that:
— the authorized party complies with the data processing requirements of the Law and other acts;
— the Enterprise, as the Operator, remains responsible to the data subject for the actions of the authorized party;
— the authorized party is responsible to the Enterprise for its actions.
3.13. The list of authorized parties is determined separately and made available to personal data subjects at the Enterprise.
3.14. Personal data may be processed by the Enterprise through:
— direct collection from data subjects in oral or written form;
— receipt from third parties in accordance with law or contracts;
— use of publicly available sources;
— processing within the Enterprise’s information systems, databases, and records;
— other lawful methods established by legislation.
3.15. Disclosure or dissemination of personal data to third parties without the subject’s consent is prohibited unless otherwise required by law.
3.16. Transfer of personal data to state bodies, including law enforcement agencies and courts, or to other organizations and institutions, shall be carried out in accordance with the legislation of the Republic of Belarus, with consent of the data subject unless otherwise provided by law.
3.17. Cross-border transfer of personal data to a foreign country may be carried out by the Enterprise as follows:
3.17.1. If the foreign country ensures an adequate level of protection of data subjects’ rights – without restrictions, provided legal grounds exist under the Law on Personal Data Protection;
3.17.2. If the foreign country does not ensure adequate protection – in the cases specified by Article 9 of the Law, including when:
— the data subject has consented after being informed of the risks due to inadequate protection;
— the data are transferred under a contract with the subject for its performance;
— the data may be obtained by any person under lawful request procedures;
— the transfer is necessary to protect life, health, or vital interests when consent cannot be obtained;
— processing is carried out under international treaties of the Republic of Belarus;
— the transfer is carried out by the financial monitoring authority to prevent money laundering or terrorist financing;
— appropriate authorization is obtained from the National Personal Data Protection Center (NPDPC).
3.18. The Operator processes and stores personal data no longer than necessary for the purposes of processing, within the time limits established by the Personal Data Processing Registers, legislation, contract, or consent of the data subject.
3.19. Processing of personal data shall cease upon the occurrence of one or more of the following events (if no other legal grounds exist):
— withdrawal of consent by the data subject;
— receipt of a demand to terminate processing and/or delete data;
— achievement of processing purposes;
— expiration of the consent validity period;
— expiration of the data retention period;
— detection of unlawful processing;
— order by the NPDPC;
— termination of the Enterprise’s activities.
3.20. Personal data shall be stored by the Operator in compliance with data protection requirements until the processing purposes are achieved or within the terms established by the Registers or the subject’s consent. Specifically:
— paper and other physical documents containing personal data shall be stored in premises excluding unauthorized access;
— electronic documents containing personal data shall be stored in the Enterprise’s information system using password protection and access control.
3.21. Paper and electronic documents containing personal data shall be destroyed or deleted (blocked) after processing is terminated, in accordance with data protection legislation and the internal acts of the Enterprise.
4. RIGHTS OF PERSONAL DATA SUBJECTS AND OBLIGATIONS OF THE OPERATOR
4.1. A personal data subject has the right to:
4.1.1. withdraw their consent to the processing of personal data at any time without stating reasons;
4.1.2. demand free termination of the processing of their personal data, including their deletion, if there are no legal grounds for processing provided by the Law on Personal Data Protection or other legislative acts;
4.1.3. receive information related to the processing of their personal data (without the need to justify their interest), including:
— the name and location of the Enterprise;
— confirmation of the fact that the Enterprise (or its authorized person) processes personal data;
— their personal data and the source from which they were obtained;
— the legal grounds and purposes of processing;
— the duration for which consent was granted;
— the name and address of the authorized person (if data processing has been delegated);
— any other information required by law.
4.1.4. request changes to their personal data if such data are incomplete, outdated, or inaccurate (with supporting documents or certified copies justifying the need for correction);
4.1.5. obtain information once per calendar year, free of charge, regarding the provision of their personal data to third parties, unless otherwise established by law.
4.2. The data subject also has the right to appeal against the actions (inaction) or decisions of the Enterprise that violate their rights when processing personal data to the National Personal Data Protection Center (NPDPC), as the authorized body for data protection, in accordance with the procedure established by the legislation on appeals from citizens and legal entities. Decisions of the NPDPC may be appealed in court under the procedure established by law.
4.3. To exercise the rights provided in Articles 10–13 of the Law on Personal Data Protection and clause 4.1 of this Policy, the data subject shall submit a written application to the Enterprise at the following address: 230005, Grodno, Gaspadarchaya Street 19, LLC “Z Z Corporation”. Legislation may require personal presence and the presentation of an identity document when submitting such an application.
4.4. The application of a data subject to exercise their rights must contain: surname, first name, patronymic (if any), residential (or stay) address, date of birth, identification number (or, if absent, the number of the identity document, if this information was previously provided to the Operator), a description of the request, and a personal or digital signature.
4.5. For assistance in exercising their rights, the data subject may also contact the person responsible for internal control of personal data processing at the Enterprise by email: [email protected].
4.6. The response to a data subject’s application to exercise their rights shall be sent in the same form as the application (in writing or electronically), unless otherwise specified in the application itself.
4.7. Employees of the Enterprise directly involved in the processing of personal data shall, based on an application from the data subject:
4.7.1. Upon receiving an application for withdrawal of consent to personal data processing, within fifteen days:
— terminate the processing of personal data, delete them, and notify the data subject thereof, unless there are other legal grounds for processing under the Law and other acts;
— if deletion is technically impossible, take measures to prevent further processing, including blocking the data, and notify the data subject within the same period.
4.7.2. Upon receiving an application demanding free termination of data processing, including deletion, within fifteen days:
— stop processing personal data, delete them (or ensure deletion by an authorized party), and notify the data subject;
— if deletion is technically impossible, take measures to block further processing and notify the data subject within the same period;
— the Operator may refuse to satisfy such a demand if there are legal grounds for continued processing, including where the data are still needed for the declared purposes, and shall notify the data subject of such refusal within fifteen days.
4.7.3. Upon receiving an application requesting information about data processing, provide the data subject with the relevant information within five business days (unless otherwise specified by law), or inform them of the reasons for refusal. Information specified in subclause 4.1.3 of this Policy shall not be provided in cases described in part 3 of Article 11 of the Law on Personal Data Protection.
4.7.4. Upon receiving an application requesting correction of personal data, make the necessary changes within fifteen days after receiving the request, or inform the data subject of the reasons for refusal, unless another correction procedure is established by law.
4.7.5. Upon receiving an application requesting information about disclosure of personal data to third parties, provide the data subject within fifteen days with information on what personal data were disclosed and to whom during the preceding year, or explain the reasons for refusal. This information may be withheld in cases provided by paragraph 3 of Article 11 of the Law, as well as in judicial and enforcement proceedings.
5. OBLIGATIONS OF THE OPERATOR AND MEASURES TO ENSURE PERSONAL DATA PROTECTION
5.1. The Operator shall:
5.1.1. inform the personal data subject of their rights related to the processing of personal data;
5.1.2. obtain the consent of the personal data subject for processing, except in cases provided by the Law on Personal Data Protection and other legislative acts (when other legal grounds exist);
5.1.3. before obtaining the written or electronic consent of the personal data subject, provide them with information including: the name and address of the Operator; the purposes of processing; the list of personal data subject to processing; the duration of consent; details of authorized persons (if applicable); the list of data processing actions permitted by the subject; a general description of processing methods; and any other information necessary to ensure transparency of processing;
5.1.4. before obtaining consent, explain to the data subject in clear and simple language their rights, the mechanism for exercising those rights, and the consequences of giving or withholding consent. This information shall be provided in writing or electronically, separately from other documents;
5.1.5. ensure the protection of personal data during processing;
5.1.6. if the initially declared purposes of processing are changed, obtain new consent from the personal data subject, unless another legal basis applies under the Law or other legislation;
5.1.7. take measures to ensure the accuracy of processed personal data and update them when necessary;
5.1.8. provide the data subject with information regarding their personal data and disclosures to third parties, except as limited by the Law and other acts;
5.1.9. amend personal data that are incomplete, outdated, or inaccurate, except where a different amendment procedure is provided by law or where the processing purpose does not require further modification of the data;
5.1.10. terminate processing and ensure deletion or blocking (including by an authorized party) of personal data where there are no legal grounds for processing under the Law or other acts;
5.1.11. implement legal, organizational, and technical measures to protect personal data against unauthorized or accidental access, modification, blocking, copying, dissemination, provision, or deletion, as well as other unlawful actions;
5.1.12. ensure unrestricted access to this Policy, including via the Internet, before any processing of personal data begins;
5.1.13. notify the National Personal Data Protection Center (NPDPC) of any personal data protection system breaches immediately, but no later than three working days after becoming aware of the incident, except as otherwise provided by the NPDPC;
5.1.14. modify, block, or delete inaccurate or unlawfully obtained personal data of the data subject upon request from the NPDPC, unless another procedure is established by law;
5.1.15. comply with any NPDPC requirements to correct violations of personal data legislation;
5.1.16. provide the NPDPC with information necessary to assess the legality of actions by Operators or authorized persons;
5.1.17. fulfill all other obligations established by the Law on Personal Data Protection and other legislative acts.
5.2. The Operator determines the scope and list of measures necessary and sufficient to ensure the protection of personal data, taking into account the requirements of the Law and other legislative acts.
5.3. Mandatory measures to ensure personal data protection include:
5.3.1. appointment by the Operator of a person responsible for internal control over personal data processing;
5.3.2. adoption by the Operator of this Policy;
5.3.3. familiarization of employees of the Enterprise (as the Operator) and other persons directly involved in data processing with the provisions of personal data legislation, including data protection requirements, this Policy, and other internal acts of the Enterprise, as well as conducting training as required by law;
5.3.4. establishment of access control procedures for personal data, including those processed in information systems;
5.3.5. implementation of technical and cryptographic protection of personal data in accordance with the procedures established by the Operations and Analytical Center under the President of the Republic of Belarus and in line with the classification of information systems containing personal data.
6. LIABILITY FOR VIOLATION OF PERSONAL DATA PROTECTION LEGISLATION
6.1. Persons found guilty of violating the provisions of personal data protection legislation shall be held liable in accordance with disciplinary, administrative, civil, or criminal procedures established by the legislation of the Republic of Belarus.
6.2. Moral damage caused to a personal data subject as a result of a violation of their rights established by the Law on Personal Data Protection shall be subject to compensation. Compensation for moral damage shall be provided regardless of any compensation for property damage or losses incurred by the personal data subject.