Privacy Notice about Processing of Personal Data
of Contractors and Other Third Parties
of the Eurasian Development Bank
1.Abbreviations, Terms and Definitions, Legal Framework and References
The definitions of terms and abbreviated names (abbreviations) of the Eurasian Development Bank's structural units and divisions as used in this Privacy Notice about processing of personal data of contractors and other third parties of the Eurasian Development Bank (“Notice”) is provided in the Bank Glossary.
Abbreviations
| Abbreviation | Meaning |
|---|---|
| Bank | Eurasian Development Bank |
| IRD | Internal regulatory document |
| PD | Personal Data |
Terms and Definitions Used Exclusively in this IRD
| Term | Definition |
|---|---|
| Regulatory document | Methodological recommendations (manuals), internal instructions, technical/technological maps, approved by orders of a senior manager or head of a structural unit (in accordance with the current categorization of positions in the Bank) within the established competence |
| Applicable legislation | Legislation applicable to PD processing based on the citizenship of the PD Subject or the Bank's obligations on the territory of the Bank's member states, taking into account the Bank's status as an international organization |
| Responsible for organization of processing of personal data | A person authorized by the Bank (full-time employee or external contractor) as an expert on the work with PD in the Bank |
| PD Controller | Bank, as an organization that carries out and (or) organizes the processing of personal data, and also determines the purposes of processing personal data, the composition of personal data to be processed, methods of processing and actions (operations) performed with PD |
| PD Subject | The Bank's contractors, users of the Bank's website, visitors to the Bank's offices, representatives of the contractor, owners of more than 5% of the contractor's shares, beneficial owners, members of the contractor's collegial body |
Legal Framework and References
The Bank's policy regarding working with personal data is determined, inter alia, in accordance with:
- the legislation of the countries on which territory the Bank processes personal data in accordance with clause 3.8.1. of the Notice, government decrees, and other applicable regulatory legal acts;
- the Agreement on the establishment of the Eurasian Development Bank, the Charter of the Bank, Agreements between the Governments of the participating states and the Bank on the conditions of the Bank's stay on the territory of the participating state, as well as other Bank' IRD.
In accordance with the Bank Charter, Bank possesses international organization immunity to achieve its goals and perform its functions provided for by the constituent documents of the Bank.
2.Intended Use and Scope
2.1Purpose
This Notice has been developed in order to define the basic principles, objectives, conditions and methods of processing PD of the Bank's contractors and other third parties interacting with the Bank, the list of PD processed in the Bank, the rights of Subjects, as well as the requirements for the protection of PD implemented in the Bank.
This Notice is the basis for the development by the Bank's subscribers and organizations of internal regulatory documents defining the policy of PD processing in these organizations.
2.2Scope and Owner of the Process
This Notice applies to the Bank's contractors, users of the Bank's website, visitors of the Bank's offices, representatives of contractors, owners of more than 5% of the contractor's shares, beneficial owners, members of the contractor's board.
The owner of this Notice is the Legal Department.
This Notice is amended as necessary, taking into account changes in the Applicable law.
The owner of this Notice is the Legal Department. In the event of reorganization (abolition, change of structure, change of name) of any of the divisions specified in this Notice or renaming of positions of Bank employees, before making appropriate changes to this Notice, the duties of such a division, employee are performed by the division, employee to whom the relevant functions and powers have been transferred.
The Notice is posted on the official Bank resources:
- Bank website https://eabr.org;
- offices, representative offices and branches of the Bank.
3.General Provisions
3.1Principles of PD Processing
PD processing at the Bank is carried out on the basis of the following principles:
- PD is processed on the basis of fairness and expediency;
- PD is stored for predetermined purposes and is not used in any other way incompatible with these purposes;
- PD are adequate, relevant and not excessive for the purposes of their storage;
- PD is accurate and, when necessary, updated;
- PD is stored in a form that allows identification of PD Subjects, no longer than required for predetermined purposes. Upon achieving the processing goals or in the event of the loss of the need to achieve these goals, at the legal request of the PD Subject or authorized bodies, PD must be destroyed or depersonalized, unless otherwise provided by the Applicable Law;
- the Bank processes personal data both using automation tools, and without the use of such means.
3.2Legal Grounds for Personal Data Processing
The Bank processes personal data on the following legal grounds:
- agreement concluded with the contractor;
- competitive application submitted to participate in a competition held by the Bank;
- IRD for the purpose of the Bank's continuous implementation of operating activities;
- Consent – in cases where processing is carried out not within the framework of the Bank's operating activities established by the Bank's Charter;
- visiting the Bank's website;
- legal acts of the Applicable Legislation obliging the Bank to process personal data.
3.3Data Processing Purposes
The Bank processes PD in order to:
- preparation, conclusion and execution a civil contract;
- verification of the contractor;
- formation of the contractors database;
- ensuring the safety of the Bank and the Bank's employees.
For processing PD for other purposes, the Bank always provides a legal basis and includes such purposes in this Notice at the next update.
The register of personal data processing, indicating which categories of data are used for what purposes, is given in Appendix No. 1 to this Notice.
3.4List of PD Subjects Whose Data is Processed by the Bank
In the processes discussed in this Notice, the Bank processes PD of the following categories of PD Subjects:
- Bank contractors (individual & private entrepreneurs and individuals);
- representatives of contractors;
- users of the Bank's website;
- owners of more than 5% of the contractors' shares;
- beneficial owners of the contractors;
- members of the collegial body of the contractors;
- visitors to the Bank's offices.
3.5PD Collection Procedure
The Bank collects PD in the following ways:
- directly from the PD Subject;
- from publicly available sources;
- from third parties who are representatives of the contractor by proxy and authorized to disclose information about the beneficial owners and owners of the contractor.
3.6List of PD
3.6.1. PD subject — Bank contractor:
- full name (former full name);
- contacts (phone number, email address);
- date and place of birth;
- citizenship;
- address registration;
- address of temporary stay;
- INN/IIN (or equivalent), place of tax registration;
- details of the identity document;
- driver's license details;
- data on education, professional skills, advanced training and work experience;
- marital status, information about relatives/spouses;
- presence/absence of a criminal record;
- presence/absence of received and outstanding loans.
3.6.2. PD subject — representative of the contractor:
- full name;
- contacts (phone number, email address);
- job title;
- details of the identity document;
- registration address.
3.6.3. PD subject — user of the Bank's website:
- user behavior using cookies;
- IP address.
3.6.4. PD subject — owner of more than 5% of shares/shares and information about beneficial owners, member of the collegial body:
- full name;
- date of birth;
- country of tax residence;
- citizenship;
- INN/IIN (or equivalent);
- job title;
- details of the identity document;
- e-mail address.
3.6.5. PD subject — visitors to Bank offices:
- full name;
- details of the identity document.
3.7Functions of the Bank When Processing PD
3.7.1. When processing PD, the Bank:
- takes measures necessary and sufficient to ensure compliance with the requirements of Applicable legislation, IRD and Regulatory documents of the Bank in the field of PD;
- takes legal, organizational and technical measures to protect PD from unauthorized or accidental access to them, destruction, modification, blocking, copying, providing, distribution of PD, as well as from other illegal actions in relation to PD;
- appoints a Person responsible for organizing the processing of personal data;
- approves the IRD and issues regulatory documents;
- provides familiarization of the Bank's employees directly involved in the processing of PD with the Applicable legislation, IRD and Regulatory documents of the Bank in the field of PD;
- provides training to Bank employees directly involved in PD processing on the rules of working with PD;
- publishes or otherwise provides unrestricted access to the present Notice;
- informs, in accordance with the established procedure, PD Subjects or their legal representatives about the availability of PD related to the relevant PD Subjects, provides an opportunity to familiarize with these PD when contacting and (or) receiving requests from these PD Subjects or their legal representatives, unless otherwise established by Applicable Law;
- stops processing and destroys PD in cases provided for by Applicable Law;
- performs other actions provided for by Applicable Law.
3.7.2. The person responsible for the organization of personal data processing is obliged to:
- carry out internal control over compliance by the Bank and its employees with Applicable legislation;
- bring to the attention of the Bank's employees the provisions of Applicable legislation, IRD on the processing of PD, requirements for the protection of PD;
- organize the reception and processing of appeals and requests from PD Subjects or their representatives on the procedure for processing PD and (or) to monitor the reception and processing of such appeals and requests;
- develop and submit for approval by the Bank's bodies documents defining the Bank's policy regarding the processing of PD;
- monitor the development and updating of IRD on the processing of PD, as well as IRD establishing procedures aimed at preventing and detecting violations of Applicable legislation, eliminating the consequences of such violations;
- implementation of internal control and (or) audit of compliance of PD processing with Applicable legislation and regulatory legal acts adopted in accordance with it, the Bank IRD;
- assessment of the harm that may be caused to PD Subjects in case of violation of Applicable legislation, the ratio of the specified harm and the measures taken by the Bank aimed at ensuring the fulfillment of obligations provided for by Applicable law;
- other measures necessary to work with PD.
3.8EDB Member States Where the EDB Processes PD
Bank processes PD on the territory of the following countries:
- the Republic of Armenia;
- the Republic of Belarus;
- the Republic of Kazakhstan;
- the Kyrgyz Republic;
- the Russian Federation;
- the Republic of Tajikistan.
Databases of information containing PD are located on the territory of the Russian Federation and the Republic of Kazakhstan, in strict accordance with Applicable legislation.
3.9PD Storage Periods
The Bank ensures the storage of PD during the period stipulated by the agreement with the PD Subject and (or) the consent of the PD Subject.
The Bank processes PD in accordance with Applicable Law (including the terms of storage of archival documents and accounting), the statute of limitations, as well as the Bank's IRD.
The Bank processes the data of PD Subjects within five years after the termination of legal relations with them in order to protect its rights during the limitation period.
3.10The Rights of PD Subjects
The PD subject has the right:
- to know about the processing of personal data by the Bank, to know the main purposes of their processing;
- to receive, after a reasonable period of time and without excessive delay or excessive expenses, confirmation of the Bank's processing of its PD, as well as to receive its PD in an understandable form, if the Bank has no legal obstacles to providing such information;
- to seek correction of inaccurate PD and to seek the destruction of PD if their processing does not meet the grounds for PD processing;
- resort to legal remedies in case of non-compliance with the request.
The PD Subject may exercise the rights specified in this Notice, as well as ask all questions about the procedure for working with PD by personally contacting the Bank by sending a written request to the headquarters of the Bank, its branch or representative offices at the addresses indicated on the official website of the Bank, available at the link: https://eabr.org/contacts/.
3.11Confidentiality of PD
Personal data that has become known to the Bank is a confidential information and is protected by law.
Bank's employees and other persons who have gained access to the processed PD have signed an obligation not to disclose confidential information, and have also been warned of possible disciplinary, administrative, civil and criminal liability in case of violation of the norms and requirements of applicable legislation in the field of PD processing.
The Bank's contracts with contractors contain confidentiality provisions for the transferred data and received PD, including with persons involved in the processing of PD.
3.12Transfer of PD to Third Parties
Bank may transfer the received data to the following persons:
- contractors entering into contractual relations with the Bank;
- to other third parties to maintain the Bank's operational activities.
The Bank does not provide or disclose PD to third parties without a proper legal basis, such as, for example, the consent of the PD Subject and (or) the contract. When transferring personal data to third parties, the Bank is responsible for the actions of third parties as its own.
Appendix No. 1 to the Privacy Notice
Register of Personal Data Processing
about processing of personal data of contractors and other third parties of the Eurasian Development Bank
| Purpose of processing | PD Subjects | Data categories | Processing method | Retention period | Destruction method |
|---|---|---|---|---|---|
| Preparation, conclusion and execution of a civil contract | Contractors / Contractors' representatives | full name, position, department, company, phone number, email address | automated / non-automated | * | ** |
| Verification of the contractor | Contractors / Contractors' representatives / Sole executive body; Owner of more than 5% of shares/shares / Beneficial owner | full name, previous full name, e-mail address, phone number, date and place of birth, citizenship, address of registration and temporary stay, TIN (or equivalent), place of tax registration, details of civil and foreign passports, credit information, competencies, advanced training and work experience | automated / non-automated | * | ** |
| Formation of the contractors database | Contractors / Contractors' representatives | full name, previous full name, email address, telephone number, date and place of birth, citizenship, address of registration and temporary residence, TIN (or equivalent), place of tax registration, insurance number of an individual personal account, civil and foreign passport details, credit information, education data, advanced training and work experience | automated / non-automated | * | ** |
| Ensuring the safety of the Bank and the Bank's employees | Contractors / Contractors' representatives | photo and video materials, full name, position, name of organization, identity document details | automated / non-automated | * | ** |
* In accordance with the current legislation of the Bank's member States
** In accordance with the current legislation of the Bank's member States