Data Protection Law contains a wide range of legal bases for personal data processing:
- data subject’s consent;
- if the processing is required for:
- administrative or criminal proceedings, operational-search activities;
- administration of justice and the enforcement of court orders and other enforcement documents;
- performing monitoring activities (supervision) in accordance with the legislation;
- implementation of legislation on national security, on combating corruption, on preventing money laundering, financing of terrorist activities and financing weapons of mass destruction proliferation;
- the implementation of legislation on elections and referendum;
- state social insurance purposes;
- formalising employment relationships, in the process of employment activities;
- notarial activities;
- Belarusian citizenship issues;
- assignment and payment of pensions, benefits;
- the organisation and carrying out of national statistical observations;
- scientific and other research purposes, on condition that the personal data are depersonalised;
- accounting, calculation, charging of fees for housing and utility services, other services, taxes;
- processing is based on a contract, that is concluded (being concluded) with data subject, and for the purpose of performing actions stipulated by this contract;
- if personal data are specified in a document addressed to the operator and signed by the data subject;
- processing is essential for the performance of certain journalist’s activities;
- processing is required to protect the subject's life, health or other interests if obtaining of consent is not possible;
- if personal data were previously disseminated;
- in order to fulfil the duties / powers stipulated in legislation;
- in other cases expressly provided in legislation.
Data Protection Law has different list of legal bases for processing of special personal data and for cross-border transfer of personal data to the territories of states that do not ensure proper protection of data subjects rights.
The consent of the data subject can be obtained in writing, in the form of an electronic document or in another electronic form (e.g. via tick-box at the website or SMS / email verification). Operator shall provide proof, if be required, that it has collected proper consent for personal data processing.
Before obtaining consent, the operator shall provide the subject of personal data with the following information:
- name (full name) and location (address of residence) of the operator;
- purpose of personal data processing;
- list of personal data to be processed;
- consent validity term;
- information about the persons authorised by operator to process personal data (if those are engaged);
- what actions be done with personal data;
- a general description of the processing methods;
- other relevant information.
In addition, apart from other necessary information, the subject shall be informed of his/her rights, the mechanism for exercising them, the consequences of giving and withdrawing consent.
Operator may collect surname, first name, middle name of data subject, date of birth, identification number (if not, the number of the ID document) only if it is required for the purposes of processing. Such information shall be provided by data subject when at the time he/she provides the consent.
Collection and processing of personal data shall be performed having implemented certain legal, organisational and technical measures for personal data protection. The organisational measures may include establishing a special entrance regime to the premises used for collection and processing, designation of employees who can have an access to such premises and data, and differentiation of access levels to respective information. The technical measures may include using cryptography, technical means and other possible measures of control over information protection.
Data Protection Principles
Controllers are responsible for compliance with a set of core principles which apply to all processing of personal data. Under these principles, personal data must be (Article 5):
- Processed lawfully, fairly and in a transparent manner (lawfulness, fairness and transparency principle)
- Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (purpose limitation principle)
- Adequate, relevant and limited to what is necessary in relation to the purpose(s) (data minimization principle)
- Accurate and where necessary kept up-to-date (accuracy principle)
- Kept in a form which permits identification of data subjects for no longer than is necessary for the purpose(s) for which the data are processed (storage limitation principle)
- Processed in a manner that ensures appropriate security of the personal data, using appropriate technical and organizational measures (integrity and confidentiality principle)
The controller is responsible for and must be able to demonstrate compliance with the above principles (accountability principle). Accountability is a core theme of the GDPR. Organizations must not only comply with the GDPR but also be able to demonstrate compliance perhaps years after a particular decision relating to processing personal data was taken. Record keeping, audit and appropriate governance will all form a key role in achieving accountability.
Legal Basis under Article 6
In addition, in order to satisfy the lawfulness principle, each use of personal data must be justified by reference to an appropriate basis for processing. The legal bases (also known lawful bases or lawful grounds) under which personal data may be processed are (Article 6(1)):
- With the consent of the data subject (where consent must be "freely given, specific, informed and unambiguous," and must be capable of being withdrawn at any time)
- Where necessary for the performance of a contract to which the data subject is party, or to take steps at the request of the data subject prior to entering into a contract
- Where necessary to comply with a legal obligation (of the EU) to which the controller is subject
- Where necessary to protect the vital interests of the data subject or another person (generally recognized as being limited to 'life or death' scenarios, such as medical emergencies)
- Where necessary for the performance of a task carried out in the public interest, or in the exercise of official authority vested in the controller
- Where necessary for the purposes of the legitimate interests of the controller or a third party (which is subject to a balancing test, in which the interests of the controller must not override the interests or fundamental rights and freedoms of the data subject. Note also that this basis cannot be relied upon by a public authority in the performance of its tasks)
Special Category Data
Processing of special category data is prohibited (Article 9), except where one of the following exemptions applies (which, in effect, operate as secondary bases which must be established for the lawful processing of special category data, in addition to an Article 6 basis):
- With the explicit consent of the data subject
- Where necessary for the purposes of carrying out obligations and exercising rights under employment, social security and social protection law or a collective agreement
- Where necessary to protect the vital interests of the data subject or another natural person who is physically or legally incapable of giving consent
- In limited circumstances by certain not-for-profit bodies
- Where processing relates to the personal data which are manifestly made public by the data subject
- Where processing is necessary for the establishment, exercise or defense of legal claims or where courts are acting in their legal capacity
- Where necessary for reasons of substantial public interest on the basis of Union or Member State law, proportionate to the aim pursued and with appropriate safeguards
- Where necessary for preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, provision of health or social care or treatment of the management of health or social care systems and services
- Where necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of health care and of medical products and devices
- Where necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with restrictions set out in Article 89(1)
Member States are permitted to introduce domestic laws including further conditions and limitations for processing with regard to processing genetic data, biometric data and health data.
Criminal Convictions and Offences data
Processing of personal data relating to criminal convictions and offences is prohibited unless carried out under the control of an official public authority, or specifically authorized by Member State domestic law (Article 10).
Processing for a Secondary Purpose
Increasingly, organizations wish to re-purpose personal data – ie, use data collected for one purpose for a new purpose which was not disclosed to the data subject at the time the data were first collected. This is potentially in conflict with the core principle of purpose limitation; to ensure that the rights of data subjects are protected. The GDPR sets out a series of factors that the controller must consider to ascertain whether the new process is compatible with the purposes for which the personal data were initially collected (Article 6(4)). These include:
- Any link between the original purpose and the new purpose
- The context in which the data have been collected
- The nature of the personal data, in particular whether special categories of data or data relating to criminal convictions are processed (with the inference being that if they are it will be much harder to form the view that a new purpose is compatible)
- The possible consequences of the new processing for the data subjects
- The existence of appropriate safeguards, which may include encryption or pseudonymization
If the controller concludes that the new purpose is incompatible with the original purpose, then the only bases to justify the new purpose are consent or a legal obligation (more specifically an EU or Member State law which constitutes a necessary and proportionate measure in a democratic society).
Transparency (Privacy Notices)
The GDPR places considerable emphasis on transparency, ie, the right for a data subject to understand how and why his or her data are used, and what other rights are available to data subjects to control processing. The presentation of granular, yet easily accessible, privacy notices should, therefore, be seen as a cornerstone of GDPR compliance.
Various information must be provided by controllers to data subjects in a concise, transparent and easily accessible form, using clear and plain language (Article 12(1)).
The following information must be provided (Article 13) at the time the data are obtained:
- The identity and contact details of the controller
- The data protection officer's contact details (if there is one)
- Both the purpose for which data will be processed and the legal basis for processing, including, if relevant, the legitimate interests for processing
- The recipients or categories of recipients of the personal data
- Details of international transfers
- The period for which personal data will be stored or, if that is not possible, the criteria used to determine this
- The existence of rights of the data subject including the right to access, rectify, require erasure, restrict processing, object to processing and data portability
- Where applicable, the right to withdraw consent, and the right to complain to supervisory authorities
- The consequences of failing to provide data necessary to enter into a contract
- The existence of any automated decision making and profiling and the consequences for the data subject
- In addition, where a controller wishes to process existing data for a new purpose, they must inform data subjects of that further processing, providing the above information
Somewhat different requirements apply (Article 14) where information has not been obtained from the data subject.
Rights of the Data Subject
Data subjects enjoy a range of rights to control the processing of their personal data, some of which are very broadly applicable, while others only apply in quite limited circumstances. Controllers must provide information on action taken in response to requests within one calendar month as a default, with a limited right for the controller to extend this period thereby a further two months where the request is onerous.
Right of access (Article 15)
A data subject is entitled to request access to and obtain a copy of his or her personal data, together with prescribed information about the how the data have been used by the controller.
Right to rectify (Article 16)
Data subjects may require inaccurate or incomplete personal data to be corrected or completed without undue delay.
Right to erasure ('right to be forgotten') (Article 17)
Data subjects may request erasure of their personal data. The forerunner of this right made headlines in 2014 when Europe’s highest court ruled against Google (Judgment of the CJEU in Case C-131/12), in effect requiring Google to remove search results relating to historic proceedings against a Spanish national for an unpaid debt on the basis that Google as a data controller of the search results had no legal basis to process that information.
The right is not absolute; it only arises in quite a narrow set of circumstances, notably where the controller no longer needs the data for the purposes for which they were collected or otherwise lawfully processed, or as a corollary of the successful exercise of the objection right, or of the withdrawal of consent.
Right to restriction of processing (Article 18)
Data subjects enjoy a right to restrict processing of their personal data in defined circumstances. These include where the accuracy of the data is contested; where the processing is unlawful; where the data are no longer needed save for legal claims of the data subject, or where the legitimate grounds for processing by the controller are contested.
Right to data portability (Article 20)
Where the processing of personal data is justified either on the basis that the data subject has given his or her consent to processing or where processing is necessary for the performance of a contract, then the data subject has the right to receive or have transmitted to another controller all personal data concerning him or her in a structured, commonly used and machine-readable format (eg, commonly used file formats recognized by mainstream software applications, such as .xsl).
Right to object (Article 21)
Data subjects have the right to object to processing on the legal basis of the legitimate interests of the data controller or where processing is in the public interest. Controllers will then have to suspend processing of the data until such time as they demonstrate “compelling legitimate grounds” for processing which override the rights of the data subject.
In addition, data subjects enjoy an unconditional right to object to the processing of personal data for direct marketing purposes at any time.
The right not to be subject to automated decision making, including profiling (Article 22)
Automated decision making (including profiling) "which produces legal effects concerning [the data subject] … or similarly significantly affects him or her" is only permitted where:
- Necessary for entering into or performing a contract
- Authorized by EU or Member State law
- The data subject has given their explicit (ie, opt-in) consent
Further, where significant automated decisions are taken on the basis of grounds (a) or (c), the data subject has the right to obtain human intervention, to contest the decision, and to express his or her point of view.
The Personal Data Processing Law contains provisions on specific treatment related to the exercise of other fundamental rights of the individual, providing derogations relating to the data processing for archiving purposes, scientific or historical research purposes, statistical purposes, and the processing of national classified data.
The Personal Data Processing Law provides specific rules and exceptions regarding the journalistic, academic, artistic and literary processing of personal data. When processing data for these purposes, it is necessary to assess the balance between the right to privacy and freedom of expression.
The Personal Data Processing Law also provides for specific rules regarding the processing of data in the official publication. It states that the data published in the official publication is deleted by the publisher on the basis of a decision of the DSI or a decision confirming that such publication does not comply with the provisions of the GDPR.
The consent of a child for the use of information society services is deemed lawful where the child is at least 13 years old, meaning that Latvia has chosen the lowest threshold regarding the age of the child. Where the child is below the age of 13 years, such consent will be lawful only if and to the extent that consent is given or authorized by the holder of parental responsibility over the child.
The fundamental legal act regulating personal data protection in Belarus is the Law on Personal Data Protection of 7 May 2021 No. 99-Z which entered into force on 15 November 2021 (Data Protection Law). It is the first Belarusian legal act intended specifically for regulation of personal data protection issues.
It worth also to take into consideration the acts implemented within the framework of the Eurasian Economic Union (EEU), e.g. the Protocol on Information and Communication Technologies and Informational Interaction within the Eurasian Economic Union, Annex 3 to the Treaty on the Eurasian Economic Union of 29 May 2014. Following the Decision of the Supreme Eurasian Economic Council of 11 October 2017 the member states of EEU are planning to develop the initiative on conclusion of the Agreement on Data Circulation within the Union (including on personal data protection). The initiative is one of measures aimed at implementation of the Main Directions for Implementation of the Digital Agenda of the Eurasian Economic Union until 2025.
Definition of personal data
Data Protection Law defines “personal data” as any information relating to an identified or identifiable natural person.
In its turn, “individual who can be identified” means an individual who can be directly or indirectly determined, in particular through the surname, proper name, patronymic, date of birth, identification number, or through one or more of characteristic features of her / his physical, psychological, mental, economic, cultural or social identity.
The Law also defines “special personal data”, “biometric personal data”, “genetic personal data” and “publicly available personal data”.
Definition of sensitive personal data
Data Protection Law defines “special personal data” which include information about race, nationality, political, religious and other convictions, health and sexual activity; criminal conviction records; biometric and genetic personal data.
“Biometric personal data” means information describing the physiological and biological characteristics of a person, which is used for her / his unique identification (fingerprints, palms, iris, characteristics of the face and its image, etc.), while “genetic personal data” is defined as information related to the inherited or acquired genetic characteristics of a person, which contain unique data on her / his physiology or health and can be identified, in particular, during the study of her / his biological sample.
The National Personal Data Protection Centre ("NPDPC") is the competent authority for the protection of personal data subjects' rights. The main tasks of the NPDPC are taking measures to protect the rights of personal data subjects in the processing of their personal data and organising training on personal data protection issues.
In accordance with these tasks NPDPC performs the following functions:
- controls the processing of personal data by operators (authorised persons);
- considers complaints of personal data subjects regarding the processing of personal data;
- determines the list of foreign countries having proper level of data subjects’ rights protection;
- issues permits for cross-border transfer of personal data, if the level of protection of personal data subjects' rights in a foreign country is not adequate, as well as establishes the procedure for issuing such permits;
- makes proposals on the improvement of the personal data legislation, participates in the drafting of legal acts on personal data;
- provides explanations on the application of personal data legislation, carries out other explanatory work on personal data legislation;
- determines the cases in which it is not necessary to notify NPDPC of the breach of personal data protection systems;
- establishes the classification of information resources (systems) containing personal data in order to determine the technical and cryptographic protection requirements for personal data;
- participates in the work of international organisations on personal data protection issues;
- cooperates with authorities (organisations) for protection of rights of personal data subjects in foreign countries;
- publishes annually by 15 March, the report in mass media on its activities;
- implements educational programs of additional education for adults in accordance with the legislation on education;
- exercises other authority established by the personal data legislation.
NPDPC constantly develops legislation in a field of personal data protection. Data protection authority publishes its recommendations and clarifications on application of Data Protection Law provisions and specifics of personal data protection on various matters (inter alia, on the content of privacy policy, on personal data processing in employment and pre-employment relations, in educational sphere, on relations between operators and authorised persons in terms of personal data processing).
Contact information of NPDPC
Build. 24-3
K.Zetkin str.
Minsk, 220036
T: + 375 17 367 07 90
e-mail: [email protected]
Since 1 January 2024 operators are obliged to add information about information resources (systems) containing personal data into Register of Personal Data Operators and ensure that the relevant information is kept up-to-date. Information shall be added regarding information resources (systems) that involve:
- cross–border transfer of special personal data, to a foreign state with “inappropriate” level of data subjects’ rights protection (special except for certain cases provided by Data Protection Law);
- processing of biometric and (or) genetic personal data;
- personal data processing of more than 100 thousand individuals; and
- personal data processing of more than 10 thousand individuals under the age of sixteen.
Order of the Operational and Analytical Centre under the President of the Republic of Belarus (OAC) No. 94 of 1 June 2022 establishes the list of data that shall be added into the Register of Personal Data Operators.
State information systems shall be registered under the separate procedure regardless whether any personal data are processed in it or not. According to Belarusian legislation state information systems are information systems created and / or acquired at the expense of state or local budgets, state off-budget funds, or by state legal entities. Registration is performed by specially authorised by the Ministry organisation – SERUE “Institute of Application Software Systems”. One of the conditions for state registration of an information system is registration of all information resources included in such an information system. Described registration can be performed for private owned information systems voluntarily.
According to the Edict of the President of the Republic of Belarus of 16 April 2013 No. 196 On Certain Measures for Improvement of the Information (Information Protection Edict) organisations owning information systems intended for processing of personal data are obliged to notify the OAC on the conditions of technical information protection of such systems.
Data Protection Law obliges operators to designate a structural unit or person responsible for the internal control of personal data processing. This shall be an internal unit or employees of the organisation, i.e. it is not possible to outsource the control functions. The legislation establishing obligations of different positions stipulates that the specialist of internal control over personal data processing shall have higher education, while no requirements for work experience are established.
Persons responsible for the internal control of personal data processing shall complete training on issues related to personal data protection at least once every five years. Depending on the type of organisation, the training may be organised at NPDPC or other educational organisations. In addition, the operators shall annually by 15 November provide NPDPC with information on the number of persons who shall complete training at NPDPC.
Moreover, a legal entity, including state body, processing personal data shall create information protection systems to secure information in their information systems used for processing of such data. As a part of creation of such system the entity should establish special department or appoint employee responsible to take required technical and cryptography information protection measures. According to the Information Protection Edict, the employees of such department (responsible employee) are required to have higher education in the sphere of information protection security or other higher or specialised secondary or professional - technical education and undergo training on the issues of technical and cryptographic information protection.
If for some reasons respective departments / employees cannot take such measures themselves, a special organisation licensed to perform activities on technical and / or cryptography information protection may be involved.
Data Protection Law contains a wide range of legal bases for personal data processing:
- data subject’s consent;
- if the processing is required for:
- administrative or criminal proceedings, operational-search activities;
- administration of justice and the enforcement of court orders and other enforcement documents;
- performing monitoring activities (supervision) in accordance with the legislation;
- implementation of legislation on national security, on combating corruption, on preventing money laundering, financing of terrorist activities and financing weapons of mass destruction proliferation;
- the implementation of legislation on elections and referendum;
- state social insurance purposes;
- formalising employment relationships, in the process of employment activities;
- notarial activities;
- Belarusian citizenship issues;
- assignment and payment of pensions, benefits;
- the organisation and carrying out of national statistical observations;
- scientific and other research purposes, on condition that the personal data are depersonalised;
- accounting, calculation, charging of fees for housing and utility services, other services, taxes;
- processing is based on a contract, that is concluded (being concluded) with data subject, and for the purpose of performing actions stipulated by this contract;
- if personal data are specified in a document addressed to the operator and signed by the data subject;
- processing is essential for the performance of certain journalist’s activities;
- processing is required to protect the subject's life, health or other interests if obtaining of consent is not possible;
- if personal data were previously disseminated;
- in order to fulfil the duties / powers stipulated in legislation;
- in other cases expressly provided in legislation.
Data Protection Law has different list of legal bases for processing of special personal data and for cross-border transfer of personal data to the territories of states that do not ensure proper protection of data subjects rights.
The consent of the data subject can be obtained in writing, in the form of an electronic document or in another electronic form (e.g. via tick-box at the website or SMS / email verification). Operator shall provide proof, if be required, that it has collected proper consent for personal data processing.
Before obtaining consent, the operator shall provide the subject of personal data with the following information:
- name (full name) and location (address of residence) of the operator;
- purpose of personal data processing;
- list of personal data to be processed;
- consent validity term;
- information about the persons authorised by operator to process personal data (if those are engaged);
- what actions be done with personal data;
- a general description of the processing methods;
- other relevant information.
In addition, apart from other necessary information, the subject shall be informed of his/her rights, the mechanism for exercising them, the consequences of giving and withdrawing consent.
Operator may collect surname, first name, middle name of data subject, date of birth, identification number (if not, the number of the ID document) only if it is required for the purposes of processing. Such information shall be provided by data subject when at the time he/she provides the consent.
Collection and processing of personal data shall be performed having implemented certain legal, organisational and technical measures for personal data protection. The organisational measures may include establishing a special entrance regime to the premises used for collection and processing, designation of employees who can have an access to such premises and data, and differentiation of access levels to respective information. The technical measures may include using cryptography, technical means and other possible measures of control over information protection.
The general rule is that cross-border transfer is prohibited, unless a foreign state provides an appropriate level of protection of the personal data subjects’ rights. NPDPC has established that the list of foreign states, which ensure appropriate level of protection. The list includes foreign states that are parties to the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, adopted in Strasbourg on 28 January 1981 as well as foreign states that are members of the Eurasian Economic Union. There are certain plans to broaden the list of foreign states that provide appropriate level of protection of the personal data subjects’ rights.
However there are certain exceptions, when transfer to the jurisdictions with inappropriate level of protection will be allowed. For example, upon respective consent of the personal data subject and informing of the possible risks or under the individual permit for cross-border transfer issued by NPDPC.
The owners of the information systems should take appropriate technical, legal and organisational measures to secure personal data processed in their information systems. The key technical measure is creation of the information protection system to secure the information system of an entity intended for processing of personal data. The information protection system shall be attested according to the procedure established by the OAC. The rules also suggest simplified attestation procedure for subjects using information system of other organisations who have already passed attestation procedure for their systems.
Data Protection Law establishes an obligation to notify NPDPC on breach of systems used for personal data protection immediately, but not later than within three business days of discovery, in writing or in the form of an electronic document. Exceptions to this requirement are cases where a breach of security systems has not resulted in the unlawful dissemination, provision of personal data; modification, blocking or deletion of personal data without the possibility of restoring access to it.
Certain additional requirements on the notification of the OAC are set for specific cases of information protection system breaches or periodical reporting as required by Belarus law. The respective requirements are set forth in the Regulations on the procedure for submitting information about information security events, the state of technical and cryptographic protection of information to the OAC, as approved by the Order of the OAC of 2 February 2020 No. 66.
According to Data Protection Law, NPDPC supervises the processing of personal data by operators and authorised persons. In the case of a breach of personal data legislation, NPDPC has the right to issue a demand to eliminate the detected violations and / or to terminate personal data processing in the information resource (system). Term for elimination and / or termination is set by the NPDPC, but shall not be longer than six months.
Violation of personal data protection legislation may result in civil, criminal and administrative liability. If the violation has led to moral damages, the violator may be required by the court to reimburse such damages.
Administrative Offences Code of Republic of Belarus stipulates specific sanctions for personal data processing violations, including:
- intentional illegal collection, processing, storage or transfer of personal data of an individual or violation of his / her rights related to the processing of personal data may cause a fine up to 50 base units; intentional distribution – up to 200 base units (since 1 January 2023 one base unit equals BYN 37, approx. EUR 11);
- non-compliance with requirements on data protection measures implementation may cause a fine ranging from 20 to 50 base units for legal entities.
The Criminal Code of Republic of Belarus envisages criminal liability for the following breaches:
- unlawful collection or provision of information relating to the private life and (or) personal data of another person without his / her consent (depending on the circumstances like volume on gravity) causing substantial harm to the rights, freedoms and legitimate interests of a citizen a person could be sentenced to community work, a criminal fine, arrest, or the restriction or deprivation of liberty for up to two years. For the unlawful distribution – restriction or deprivation of liberty for up to three years with the criminal fine. Higher liability may apply if offence relates to the victims performing public functions; failure to comply with measures to ensure the protection of personal data by a person who processes personal data, which has inadvertently resulted in their dissemination and causing serious consequences a person could be sentenced to a criminal fine, deprivation of the right to occupy certain job positions or perform certain activities, corrective work for up to one year, arrest, or the restriction of liberty for up to two years or deprivation of liberty for up to one year.
Electronic marketing is subject to the rules established by the Law on Advertising of 10 May 2007 No. 225-Z (Advertising Law) and the Law on Mass Media of 17 July 2008 No. 427-Z (Mass Media Law).
According to the general rule of the Advertising Law it is not allowed to use in advertising names, pseudonyms, images or statements of citizens of the Republic of Belarus without their consent or the consent of their legal representatives.
Distribution of advertisements by telecommunication means (e.g. telephone, telex, facsimile, mobile telephone communications, email) can be performed only with the consent of respective subscriber or addressee. Such consent can be made as a text document, including document in electronic form. The consent also can be a part of an agreement for telecom services. In this case subscriber or addressee must be informed about her / his right to demand stopping placing (distributing) advertisement to her / him, which shall be specifically confirmed by the subscriber (addressee).
The advertisement distributor is obliged to immediately stop advertising to subscriber or addressee upon his / her demand within one work day from receiving the demand.
Individuals whose rights have been violated as a result of creation and / or distribution of an advertisement are entitled to protect their rights in court proceedings.
According to the Mass Media Law, information about person’s personal life or audio, video records and photos of a person can be distributed in mass media as a general rule only with consent of such person or his/her authorised representative. As an exception, distribution in the media of information messages and (or) materials prepared using audio or video recording, filming or photo of an individual without her / his consent is allowed only if measures are taken against the possible identification of this individual by unauthorized persons, and also provided that the dissemination of these information messages or materials does not violate the constitutional rights and freedoms of the individual and is necessary to protect public interests (except to criminal investigations or court proceedings).
Belarus law does not specifically regulate online privacy. General requirements on personal data protection apply.
Certain specific online privacy requirements can be established under the legislation. For example, personal data of a person, who is a domain name administrator, can be disclosed in online WHOIS service of Belarusian domain zone only with consent of such person. However, consent is not required if the domain name was registered in the name of an individual entrepreneur.
