Belarus: Personal Data - New Law Adopted

The Law on Personal Data Protection was officially published on 14 May 2021. It will enter into force six months after publication, i.e. in November this year.

This is the first law specifically dedicated to personal data in Belarus. Its provisions significantly change and clarify the regulation of personal data processing, which could affect almost every company. Our Commercial and Regulatory practice group has prepared an overview of the key points from the new law.

A definition of personal data will appear under the new law

Personal data refers to any information relating to an identified or an identifiable natural person. As a result, a wide range of data may fall into the category of personal data.

The law also introduces the concepts of an “operator” and an “authorised party”, which have some similarity to the concepts of data controller and data processor in the GDPR. Thus, the operator independently processes personal data, while the authorised party does so on behalf of or in the interests of the operator, e.g. on the basis of a contract.

The main basis for collecting and processing personal data is the data subject’s consent

The law imposes certain criteria necessary for the consent to be proper. In particular, the consent must be informed, i.e. the following information must be provided to the data subject before consent is obtained:

  • the name and location of the operator;
  • the purpose of the personal data processing;
  • the list of personal data to be provided;
  • the consent duration term;
  • information on authorised parties;
  • a list of actions that the personal data will be used for;
  • other information that makes the personal data processing process transparent.

Prior to obtaining consent, the operator must explain to data subjects, in simple and clear language, their rights related to the processing of personal data, the mechanisms for exercising these rights, and the consequences of giving or denying consent. This information must be provided separately from other information, which may require a privacy policy.

Various forms of consent are envisaged: in addition to written consent, consent can be obtained by virtue of SMS with a code, by e-mail, or by ticking a box on a website.

Consent is not required:

1) based on a contract with the data subject, for the purpose of its performance;

2) for certain employment-related matters;

3) with respect to previously disseminated personal data, until a request is received to stop processing of the disseminated personal data or to delete them.

Purposes stated for personal data processing

The law introduces the requirement for processing to be proportionate to its purposes. Such goals should be legal, specific, stated in advance and should also ensure a fair balance between the interests of all interested parties at all stages of processing. The storage of personal data should not be longer than the stated purposes of processing require.

Data subjects will have the following rights (inter alia):

  • to withdraw their consent;
  • to obtain information about the processing of personal data and their modification;
  • to be informed about the provision of their personal data to third parties;
  • to demand the termination of processing of personal data and/or their deletion;
  • to appeal against the operator’s acts (or omissions) and decisions.

The relationship between the operator and the authorised party

The contract between the operator and the authorised party must specify:

  • the purposes of processing;
  • the list of operations to be performed with the personal data by the authorised party;
  • confidentiality obligations;
  • measures to ensure personal data protection.

The operator, not the authorised party, is responsible for obtaining the data subject’s consent.

Once a calendar year, free of charge, the data subject has the right to receive information from the operator about the provision of their personal data to third parties. The standard response time is 15 days.

Cross-border transfer of personal data

The cross-border transfer of personal data may only take place if:

  • the data subject gives its consent;
  • personal data are obtained based on a contract with the data subject;
  • personal data can be obtained by any person via request;
  • such a transfer is necessary for the protection of life, health or other vital interests of the data subject or other persons, if the consent of the data subject cannot be obtained;
  • processing of personal data is carried out under the terms of the international agreements of the Republic of Belarus;
  • transfer is carried out by the financial monitoring authority;
  • on the basis of permission from the data protection authority.

For the first time, a data protection authority (DPA) will be introduced in Belarus to protect the rights of data subjects

The DPA will be authorised to take measures to protect the rights of data subjects during personal data processing. Among other things, the DPA will:

  • inspect personal data processing by the operators (authorised third parties);
  • consider complaints from data subjects;
  • if necessary, require operators to change, block or delete inaccurate or illegally obtained personal data;
  • establish a list of countries that have an adequate level of data protection and provide authorisation for cross-border transfers;
  • clarify the legislation on personal data.

Liability for personal data breaches

Sanctions in the sphere of personal data are currently being improved, including civil, administrative and criminal liability.

It is assumed that a data subject will be able to claim compensation for property damages and losses incurred, as well as moral damage caused to the data subject as a result of a breach of his/her rights.

From 1 March 2021, unlawful processing, or violation of data subjects’ rights or the rules on their protection will entail administrative liability. Depending on the infringement, the sanction can be imposed on a natural person (for example, manager) or on a company; the amount can vary, up to 200 basic units, which is approx. EUR 1 900. You can read more on this issue here.

In addition, draft amendments to the Criminal Code of the Republic of Belarus are being considered by the parliament and will introduce criminal liability in relation to personal data.

How can we help?

Sorainen Belarus advises on all legal aspects of compliance with legislation in the sphere of personal data. In particular, we can provide assistance at the following stages:

  1. Assessment of the data processing model for compliance with applicable requirements
  2. Analysis and preparation of personal data processing consent forms
  3. Drafting provisions of the contract between the operator and the authorised party
  4. Evaluating and implementing procedures for the operator/authorised party to respond to requests from data subjects
  5. Preparing a set of documents defining the operator’s policy on personal data
  6. Implementation of procedures for interaction with employees and other persons directly involved in the processing of personal data

Our team can help you with any questions related to data protection:

Kirill Laptev

Head of Technology, Media & Telecommunications at Sorainen Belarus

+375 29 339 4590

kirill.laptev@sorainen.com