Privacy Notice
PRIVACY POLICY of VFS BY LLC
VFS BY Limited Liability Company (“VFS BY LLC” or the “Company”) is a part of VFS Global Group, which is a major provider of outsourcing and technology services to governments and diplomatic missions around the world.
The Company fulfills only administrative functions, related to acceptance of documents from citizens applying to diplomatic missions for visas, and provides additional services in accordance with existing obligations with governments/diplomatic missions of foreign states. The Company does not participate in or influence decision-making by diplomatic missions.
CHAPTER 1
GENERAL PROVISIONS. SCOPE
1.1. The Company pays special attention to ensuring personal data protection. Taking into account specifics of the Company's activities, in its processes it is guided not only by legislation of the Republic of Belarus, but also by foreign legislation (in particular, General Data Protection Regulation (EU) No. 2016/679, Visa Code of the European Union).
1.2. This Privacy Policy (“Policy”) describes how and for which purposes personal data are collected, used or otherwise processed by the Company. It defines the rights of individuals whose personal data are processed, as well as the mechanisms for their implementation.
1.3. This Policy applies to relations on processing by the Company of personal data of users of the website https://vfsglobal.by (“Website”), applicants at all stages of submitting documents for a visa, visitors to the premises of visa centers, persons submitting queries to the Company, job candidates, and the Company's counterparties (“personal data subjects”, “data subjects”).
1.4. This Regulation does not apply to processing of personal data of the Company's employees in the course of their work activities; processing of personal data within CCTV process; processing of cookies.
-
1.5. Information about the Company:
Company’s name: VFS BY LLC
Legal and postal address of the Company: Republic of Belarus, 220006, Minsk, Bobruiskaya St., 6/7 (Galileo Shopping Center, 5th floor)
Internet address: https://vfsglobal.by
E-mail (general): [email protected]
-
1.6. Terms used in this Policy have the meaning specified in the Law of the Republic of Belarus dd. May 7, 2021 No. 99-З “On Personal Data Protection” (“Law”), as well as:
Diplomatic mission (or mission) - a diplomatic mission or consular office of a foreign state responsible for issuing visas, within the framework of existing relations with which the Company provides support to citizens when they submit documents for visas.
1.7. Control over compliance with the requirements of the Policy is carried out by the Company’s Data Protection Officer. Questions regarding implementation of this Privacy Policy can be addressed to him/her by sending a message to the email address [email protected]
CHAPTER 2
TERMS OF PERSONAL DATA PROCESSING
2.1. The Company processes only those personal data that are necessary to achieve corresponding purposes and does not allow their excessive processing. Detailed information on processing is specified in the Appendix to this Policy (“Appendix”).
2.2. Within certain processes (as specified in the Appendix), the Company acts as a Processor, i.e. it processes personal data on behalf of other entities (controllers). They are the ones who determine the purposes, conditions of processing and the volume of data processed, and are directly responsible to the personal data subject for processing. The Company as a Processor is bound by the instructions of such controllers and is obliged to follow them.
For example, the list of documents required for a visa is always determined by the government/diplomatic mission and depends on the country to which the application is submitted. It is the government/diplomatic mission that determines the purpose and conditions for processing of personal data that will be collected, processed and transferred by the Company as part of the visa application process. This means that the Controller in relation to this process is the government/diplomatic mission of a foreign state, and the Company is Processor. Similarly, the Company acts as the Processor when collecting biometric data as part of processing of visa applications (including obtaining consent for processing of fingerprints on behalf of the government/diplomatic mission). Detailed information on how the relevant government/diplomatic mission processes personal data of applicants can be obtained by visiting the website of the relevant diplomatic mission.
2.3. The Company processes personal data both using automation tools (i.e. in electronic form) and without using them, performing the following actions with personal data depending on the purpose(s) of processing: collection, systematization, storage, modification, use, depersonalization, provision (including cross-border transfer), deletion (destruction), and other actions performed in accordance with applicable law.
2.4. In cases where there is no other legal basis for processing of personal data, the Company obtains the consent of personal data subject.
-
2.5. Personal data is stored in a form allowing identification of personal data subject for no longer than required by corresponding purposes of processing. Storage periods are determined taking into account the requirements of legislation, specifics of the Company's activities and its obligation to act, requirements of diplomatic missions, foreign legislation. They are specified in the Appendix to this Policy.
Upon expiration of the established storage periods, documents containing personal data are destroyed, and personal data contained in information systems (resources) are deleted.
CHAPTER 3
TRANSFER OF PERSONAL DATA TO THIRD PARTIES (PROCESSORS). CROSS-BORDER TRANSFER
-
3.1. Processors
-
3.1.1. The Company engages the following categories of processors to processing of personal data:
- companies engaged to provision of additional services by the Company (e.g. courier delivery of documents, SMS mailings);
- companies acting as call centers;
- companies acting as archives;
- companies otherwise involved in data processing processes and acting on behalf of and in accordance with the instructions of the Company (if any).
3.1.2. The Company analyzes processors engaged for processing, assessing their reliability in matters of personal data protection. The Company maintains records of its processors and regularly monitors their implementation of measures to ensure protection of personal data processed on behalf of the Company.
3.2. Cross-border transfer
3.2.1. As part of its activities, the Company may transfer personal data to the territory of foreign states.
The Company may carry out cross-border data transfer for the following purposes:
- to fulfill the contract concluded (being concluded) with personal data subject for the purpose of performing the actions established by such a contract. In particular, in order to process the data subject's application for a visa, information collected by the Company on behalf of the relevant diplomatic mission is transferred to such a diplomatic mission (i.e. the information will be transferred abroad - from the country where the application is submitted to the country whose visa the subject has applied for);
- for the purposes of considering query/feedback;
- to control and ensure increased security of data processing, as well as due to requirements of diplomatic missions, the Company may transfer personal data of applicants to servers (cloud storage) located abroad.
-
3.2.2. Transfer of data is carried out by the Company to the territory of foreign states that ensure an appropriate level of protection of the rights of personal data subjects (the list is established by the Order of the National Personal Data Protection Center of the Republic of Belarus dd. 15.11.2021 No. 14 “On Cross-Border Transfer of Personal Data"; examples of countries: European Union countries, Great Britain, Russia). General processing grounds apply to such transfers without the need to obtain any additional permits/consents.
3.3. Other cases of provision of personal data
-
3.3.1. Personal data may be transferred (incl. to the territory of a foreign state) by the Company to authorized state bodies and organizations if such a transfer is required in accordance with the law (incl. at the request of the relevant body or organization).
CHAPTER 4
PERSONAL DATA SUBJECTS’ RIGHTS.
MECHANISM FOR THEIR EXECUTION
4.1. In accordance with legislation of the Republic of Belarus, personal data subjects are entitled to exercise the following rights in relation to the Company acting as a Controller (at any time without explanation of reasons):
4.1.1. Right to obtain information regarding processing of personal data.
Data subject has the right to obtain information about the name and location of the Controller, confirmation of the fact of personal data processing, list of personal data being processed, source of their receipt, legal grounds and purposes of processing personal data, period for which consent to processing is given, name and location of the processor(s), if it(they) are involved to the processing.
4.1.2. Right to amend personal data if the personal data are incomplete, outdated or inaccurate. The request is submitted with the relevant documents and (or) their certified copies confirming the need to make changes to the personal data.
At the same time, the Company is not obliged and cannot make changes to the personal data of the data subject if purposes of personal data processing do not imply subsequent amendments of such data.
4.1.3. Right to receive information about provision of personal data to third parties.
Data subject has the right to receive information about what personal data and to whom (which third parties) were provided during the year preceding the date of filing the application. The right can be exercised once per calendar year free of charge, unless otherwise provided by law.
-
4.1.4. Right to terminate processing of personal data and (or) delete them, if there are no grounds for further processing of personal data. If termination of processing and (or) deletion is impossible, the controller takes measures to prevent further processing.
-
4.1.5. Right to withdraw consent, given for personal data processing. Withdrawal of consent does not apply to processing carried out before such a withdrawal.
-
4.1.6. Right to complain to the National Personal Data Protection Center regarding the actions (inactions) and decisions of VFS BY LLC that violate rights of personal data subjects. Its decision can be appealed to court.
-
4.2. The rights specified above may be exercised by the Company only in cases when it acts as the Controller of personal data processing.
In cases when the Company acts as the Processor (e.g. when accept documents from applicants for a visa on behalf of a diplomatic mission), in the matter of considering received requests on personal data processing it acts in accordance with the instructions of the relevant сontroller and has the right to leave the request without consideration, if not authorized to respond by the controller (with notification of the data subject about the reasons for refusal). Detailed information on the rights provided by diplomatic missions and mechanism for their exercising can be found on the websites of the relevant diplomatic missions.
In general, in situations when the controller is a foreign organization, government/diplomatic mission of a foreign state, the rights of data subjects may differ from the ones specified in cl. 4.1 above (since provisions of foreign legislation, in particular provisions of the General Data Protection Regulation (EU) No. 2016/679, apply to them). Rights and mechanisms for their exercising shall be determined in such a case by the relevant controller.
In any case, the Company always assists in exercising the rights of data subjects and is guided by the principle of ensuring their interests.
-
4.3. To exercise the rights, it is necessary to submit a request to the Company in writing or in the form of an electronic document assigned with an electronic digital signature recognized in the Republic of Belarus, and in case of exercising the right to withdraw consent – in the form in which such consent was obtained.
Request in writing must contain full name, address of residence (place of stay), date of birth, subject-matter of the request, personal signature or an electronic digital signature of data subject.
Written request must be sent to the address: Republic of Belarus, 220006, Minsk, Bobruiskaya St., 6/7 (Galileo Shopping Center, 5th floor). Request in the form of an electronic document must be sent to the e-mail address [email protected].
-
4.4. Response to the request submitted in accordance with cl. 4.3 of the Policy is provided to the data subject in the form of the request itself, unless otherwise specified in the request. Period for consideration of the request is no more than 15 days after receipt of the relevant request. Exception is consideration of a request for exercising of the right to obtain information regarding personal data processing, which will be considered within 5 working days after receipt of the request.
-
4.5. Legislation establishes cases when the Controller may refuse to exercise the rights specified above. In such a case, the Company notifies data subject within the specified time frame of the reasons for the refusal.
4.6. In addition to the mechanism for submitting requests indicated in cl. 4.3 of this Policy, since the Company is a part of VFS Global Group, data subject may use a unified SAR form, which is effective in the VFS Global Group, or global e-mail address [email protected]. However, in such cases, the request (and personal data contained therein) will be processed also at the territory of Germany.
4.7. Regardless of the way request is submitted, if provided data are not enough for precise identification of the data subject, the Company has the right to ask for additional information (minimum necessary for precise identification). The Company does not consider anonymous requests.
4.8. The Company has the right not to consider data subjects’ requests, subject-matter of which is execution of the rights specified in cl. 4.1 of this Policy, which are sent in a form or by means other than those specified in this Chapter.
-
4.9. In the event of loss or disclosure of personal data, the Company informs data subjects affected of this fact.
CHAPTER 5
PERSONAL DATA PROTECTION MEASURES
-
5.1. The Company undertakes obligations to protect personal data, ensuring that necessary legal, technical and organizational measures for protection of personal data are taken. In particular, the Company takes the following measures:
appoints Data Protection Officer;
-
differentiates access of employees to personal data depending on their functionality;
-
ensures access control to the premises of visa centers;
-
ensures timely deletion (destruction) of personal data in accordance with the established storage periods;
-
ensures that employees are aware of personal data protection requirements;
-
uses technical and organizational measures for security of data processing in its work (in particular, implements technical and cryptographic protection of personal data);
-
regularly checks data transfer methods and procedures to ensure compliance with policies and applicable legislation;
-
implements other security measures aimed at increased data protection (including in accordance with international standards).
Annex to
Privacy Policy of
VFS BY LLC
DETAILS OF PERSONAL DATA PROCESSING IN VFS BY LLC
Company acts as Processor
Purposes of processing |
Data subject categories |
List of personal data processed |
Legal grounds for processing |
Storage period |
|---|---|---|---|---|
Booking and arranging an appointment to visa center (applies to some diplomatic missions, booking for which is carried out at the website https://vfsglobal.com) Controller is the parent company - VF Worldwide Holdings Ltd.
|
Applicants who booked an appointment via the website https://vfsglobal.com
|
Full name, passport number, date of birth, contact number, e-mail (the list of data may vary depending on the diplomatic mission)
|
Consent (is received by VF Worldwide Holdings Ltd. itself) |
- In relation to EU countries (Schengen area): 7 calendar days after the date on which the applicant is registered - In relation other countries: depends on the diplomatic mission, but no more than 30 calendar days after the date on which the applicant is registered |
Fulfilment of the applicants' instructions (under public offer agreement) to process applicants' data, sort documents, enter data into the information system, deliver documents to/from the relevant consulate and transfer biometric data for obtaining visas by these persons, return travel documents Controller is the relevant diplomatic mission/government of a foreign state. To fulfill this purpose, personal data is transferred by the Company to it.
|
Applicants; other persons whose personal data are indicated in the documents provided (sponsor, inviting party, family members, etc.)
|
Depending on the mission and visa type. The exact list of data (determined by the mission) can be found on the website page dedicated to the requirements of the relevant diplomatic mission. The following personal data are most frequently processed: |
para. 15 art. 6 of the Law (fulfillment of public offer agreement terms) Processing of biometric personal data – Consent* * The Company collects consent on behalf of the diplomatic mission
|
Data of visa applications: Deleted from the Company's systems after their transfer to the diplomatic mission Documents containing other data: Transferred to the diplomatic mission or the applicant upon receipt without storing in the Company's information systems Contact information (name, surname, telephone number, passport number): for other countries - depends on the diplomatic mission, but no more than 30 calendar days after the return of documents to the data subject Biometric data: Depends on the diplomatic mission: |
Company acts as Controller
Purposes of processing |
Data subject categories |
List of personal data processed |
Legal grounds for processing |
Storage period |
|
|---|---|---|---|---|---|
Processing of personal data in the course of the main activity of visa centers |
|||||
Registration and use of personal account on the Website https://vfsglobal.by (required to book an appointment; applies to some diplomatic missions)
|
Users of the Website https://vfsglobal.by who create a personal account (potential applicants)
|
Depends on the diplomatic mission Most common: E-mail, contact number
|
para. 15 art. 6 of the Law |
30 days from the last activity in the account (if the user is not active for 30 days, the account is deactivated) |
|
Booking an appointment via the Website https://vfsglobal.by (required for booking and arranging of a visit to the visa center)
|
Applicants who book an appointment via the Website https://vfsglobal.by
|
Depends on the diplomatic mission Most common: Full name, passport number, date of birth, e-mail, contact number, gender, citizenship, passport validity term
|
para. 15 art. 6 of the Law |
- In relation to EU countries (Schengen area): 7 calendar days after the date on which the applicant is registered - In relation other countries: depends on the diplomatic mission, but no more than 30 calendar days after the date on which the applicant is registered |
|
Providing information on the status of visa application |
Applicants submitted documents for a visa |
Visa application number; surname or passport number or date of birth (depending on the diplomatic mission) |
para. 15 art. 6 of the Law |
Data are not stored |
|
Maintaining a visitor log |
Visitors other than employees and applicants
|
Full name, organization (if applicable), date, time and purpose of visit
|
para. 20 art. 6 of the Law (cl. 1 art. 17 of the Law)
|
1 year after completing the visitor log |
|
Processing of personal data in the course of rendering additional services, related to submitting documents for a visa* |
|||||
Filling in visa application |
Applicants, other individuals, whose personal data are indicated in the application (sponsors, relatives, inviting party, etc.)
|
Depends on the application form (type of visa and country, which the applicant is applying for, affect it) The following data are most often processed (Schengen countries): |
para. 15 art. 6 of the Law |
1 day (day of services’ rendering) |
|
SMS notification of passport readiness Carried out by the processor providing SMS notification services to applicants - UniCallExpert LLC (Republic of Belarus)
|
Applicants |
Contact number |
para. 15 art. 6 of the Law |
Deleted by the processor no later than the day following the day the SMS was sent Application for the provision of additional services (in which the phone number is indicated) - 3 years after tax authorities have conducted an audit. If no audit was conducted - 10 years after the end of the contract |
|
Photo services |
Applicants |
Face image |
para. 15 art. 6 of the Law |
Image (and its negative) – 1 day (deleted at the end of the day of service) |
|
Courier delivery of passports The data is transferred to the processor providing courier services - Autolight Express LLC (Republic of Belarus) |
Applicants |
Full name, delivery address, phone number
|
para. 15 art. 6 of the Law |
Storage by the processor – 6 months Application for the provision of additional services (in which the delivery address is indicated) - 3 years after tax authorities have conducted an audit. If no audit was conducted - 10 years after the end of the contract |
|
Organizing making payments by the applicants using bank plastic cards and other payment methods online on the Website https://vfsglobal.by To make payments, the provider of BePaid service is involved - IKomCharge LLC (Republic of Belarus)
|
Applicants making payments online on the Website https://vfsglobal.by |
Сompany itself processes only date, amount, number of transaction, list of services. Company does not have access to the information on the cardholder's card BePaid service provider processes: cardholder's full name, bank card number, CVC/CVV, phone number, email address, and other data required to make a payment |
para. 15 art. 6 of the Law |
Storage period by BePaid service provider: 5 years from the date of payment (para. 14 cl. 1 art. 6 of the Law of the Republic of Belarus dd. 30.06.2014 No. 165- З)
|
|
* Provision of services under Public Offer Agreement is fixed in act-report (containing the applicant's full name and application number), storage period of which is 3 years after the tax authorities’ audit (10 years after the expiration of the agreement - if no audit was conducted) |
|||||
Processing of personal data in the course of considering requests |
|||||
Consideration of requests from citizens and legal entities, incl. those in customer comment book (within the framework of legislation on requests from citizens and legal entities)
|
Citizens, representatives of legal entities submitting requests; other individuals whose personal data are indicated in the request
|
Full name, residence address (address of place of stay), subject-matter of the request, other information specified in the request
|
para. 20 art. 6, para. 17 cl. 2 art. 8 of the Law |
5 years from the date of the last request 5 years after completion of customer comment book
|
|
Consideration of requests from data subjects (within the framework of legislation on personal data protection)
|
Individuals who submit requests, other individuals whose personal data are indicated in the request
|
If sent in writing or as an electronic document:
|
para. 20 art. 6, para. 17 cl. 2 art. 8 of the Law
|
1 year |
|
Consultation of individuals who contacted call-center via phone call regarding the questions related to rendering services by the Company Functions of the call-center are performed by the processor - UniCallExpert LLC (Republic of Belarus)
|
Individuals, reaching for call-center |
Contact number The minimum required list of personal data, determined depending on the nature and content of the consultation (processed only if necessary) |
para. 15 art. 6 of the Law |
Recording of telephone conversations - 30 calendar days |
|
Organization of personal appointment with the Company’s Director
|
Individuals, asking for a personal appointment with the Company’s Director |
Full name, contact phone number, subject-matter of the request |
para. 20 art. 6 of the Law |
5 years |
|
Consideration of requests from state authorities and organizations The requesting party is provided with the requested personal data only if there are legal grounds for doing so
|
Individuals regarding whom the request was sent to VFS BY LLC
|
Depending on the contents of the request
|
para. 20 art. 6, para. 17 cl. 2 art. 8 of the Law (legal basis for the request must be stated in the request itself) |
Depending on the contents of the request in accordance with the established retention periods for the relevant type of correspondence |
|
Processing of personal data in the course of other processes |
|||||
Conclusion (execution) of contracts with counterparties providing services to VFS BY LLC
|
Individual – party to the contract |
Full name, bank account, passport details (number, date and body of issue, identification number)
|
para. 15 art. 6 of the Law
|
3 years after the tax authorities’ audit (10 years after the expiration of the agreement - if no audit was conducted)
|
|
When concluding the contract with an individual entrepreneur/legal entity:
|
1. Full name, position of the person who signed the contract |
1. para. 20 art. 6 of the Law (art. 49, art. 186 of the Civil Code) |
|||
Dispute Resolution The data are provided to courts, law enforcement agencies, notaries and other authorized bodies; may be provided to third parties providing legal services
|
Individuals - parties to the dispute, representatives of legal entities - parties to the dispute; third parties whose personal data processing is necessary to resolve the dispute
|
Depending on the essence of dispute |
para. 20 art. 6, para. 17 cl. 2 art. 8 of the Law |
3 years |
|
Searching, engaging, selecting and taking record of job candidates
|
Candidates for employment |
In accordance with the contents of CV, application form of the job candidate, incl.: Full name, education (educational institution, specialty), work experience, phone number, e-mail address;
|
Consent (art. 5 of the Law) - when sending a CV by e-mail (received in electronic form by replying to a message from the Company) para. 16 art. 6 of the Law - in case of personal presence of the candidate when submitting a CV (subject to affixing a personal signature on the document) para. 19 art. 6 of the Law - when using candidate search services |
1 year – in case of non-employment
|
|