DLA Piper Intelligence

Data Protection
Laws of the World

Law

Belarus
Belarus

The fundamental legal acts regulating personal data protection in Belarus are the Law on Information, Informatisation and Data Protection of 10 November 2008 No. 455-Z (Data Protection Law) and the Law on Population Register of 21 July2008 No. 418-Z (Population Register Law). Legal requirements on technical measures that shall be implemented in connection with processing of personal data are developed in a number of legal acts, including those purely of technical nature. The Edict of the President of the Republic of Belarus of 18 April 2013 No. 196 On Certain Measures for Improvement of the Information Protection is the key from this range of legal acts (Information Protection Decree).

We expect adoption of the Law on Personal Data Protection in 2021. It will be the first Belarusian legal act intended specifically for regulation of personal data protection issues. The draft Law on Personal Data was adopted in the first reading by the lower chamber of Belarusian parliament in June 2019.

The acts implemented within the framework of the Eurasian Economic Union (EEU) should also be taken into consideration, e.g. the Protocol on Information and Communication Technologies and Informational Interaction within the Eurasian Economic Union, Annex 3 to the Treaty on the Eurasian Economic Union of 29 May 2014. Following the Decision of the Supreme Eurasian Economic Council of 11 October 2017 the member states of EEU are planning to develop the initiative on conclusion of the Agreement on Data Circulation within the Union (including on personal data protection). The initiative is one of measures aimed at implementation of the Main Directions for Implementation of the Digital Agenda of the Eurasian Economic Union until 2025.

Last modified 12 Jan 2021
Law
Belarus

The fundamental legal acts regulating personal data protection in Belarus are the Law on Information, Informatisation and Data Protection of 10 November 2008 No. 455-Z (Data Protection Law) and the Law on Population Register of 21 July2008 No. 418-Z (Population Register Law). Legal requirements on technical measures that shall be implemented in connection with processing of personal data are developed in a number of legal acts, including those purely of technical nature. The Edict of the President of the Republic of Belarus of 18 April 2013 No. 196 On Certain Measures for Improvement of the Information Protection is the key from this range of legal acts (Information Protection Decree).

We expect adoption of the Law on Personal Data Protection in 2021. It will be the first Belarusian legal act intended specifically for regulation of personal data protection issues. The draft Law on Personal Data was adopted in the first reading by the lower chamber of Belarusian parliament in June 2019.

The acts implemented within the framework of the Eurasian Economic Union (EEU) should also be taken into consideration, e.g. the Protocol on Information and Communication Technologies and Informational Interaction within the Eurasian Economic Union, Annex 3 to the Treaty on the Eurasian Economic Union of 29 May 2014. Following the Decision of the Supreme Eurasian Economic Council of 11 October 2017 the member states of EEU are planning to develop the initiative on conclusion of the Agreement on Data Circulation within the Union (including on personal data protection). The initiative is one of measures aimed at implementation of the Main Directions for Implementation of the Digital Agenda of the Eurasian Economic Union until 2025.

Last modified 12 Jan 2021
Definitions

Definition of personal data

According to the Data Protection Law, personal data consist of basic and additional personal data of an individual that are included in the population register, as well as other data enabling identification of certain individual. According to the Population Register Law basic personal data include the following types of information:

  • Person’s ID-number
  • Name, second name, surname
  • Gender
  • Date and place of birth
  • Digital photo
  • Citizenship
  • Information regarding registration at the place of residence or stay
  • Information regarding death or recognition of a person to be dead, untraceable, incapable or partially capable

The list of additional personal is also indicated in Population Register Law and includes, inter alia, data on:

  • Person's parents, guardians, marital status, spouse, children
  • Higher education, scientific degree and rank
  • Occupation
  • Pension
  • Military duty performance
  • Tax obligations
  • Disability

Belarus law does not define the notion of "other data enabling identification of certain individual". Arguably, mobile telephone number, email address, IP-address identifier could be recognised as personal data subject to certain conditions. However, there are no unified understanding on this issue among Belarusian researchers, as well as no confirmations based on court practice.

The draft Law on Personal Data Protection (in case adopted in currently available version) will define personal data as any information, related to identified natural person or natural person that can be identified on the basis of such information.

Definition of sensitive personal data

There is currently no concept of sensitive personal data in Belarus laws.

The draft Law on Personal Data (in case adopted in currently available version) will introduce the definition of “special personal data”. Special personal data will include information about race, nationality, political, religious and other convictions, health and sexual activity; criminal conviction records; biometric and genetic personal data.

Last modified 12 Jan 2021
Authority

Currently the main state authority involved in overseeing personal data protection issues is Operational and Analytical Centre under the Aegis of the President of the Republic of Belarus (the "OAC").

Should the draft Law on Personal Data Protection be adopted in currently available version, special data protection authority will be designated. The new data protection authority will:

  • monitor the collection, processing, distribution and provision of personal data by operators and take associated measures to protect the rights of personal data subjects;
  • decide claims of personal data subjects;
  • prevent violations of the legislation on personal data protection;
  • issue permits for cross-border transfer of personal data; and
  • provide interpretations of the provisions of the personal data protection legislation.
Last modified 12 Jan 2021
Registration

Belarus law does not require any special registration for an entity / person to collect and process personal data or registration of a private information system (eg, database) used for processing of personal data.

State information systems shall be registered regardless whether any personal data are processed in it or not. According to the Data Protection Law state information systems are information systems created and / or acquired at the expense of state or local budgets, state off-budget funds, or by state legal entities.. Registration is performed by specially authorised by the Ministry organisation – SERUE “Institute of Application Software Systems.” One of the conditions for state registration of an information system is registration of all information resources included in such an information system. Described registration can be performed for private owned information systems voluntarily.

According to the general rule of Data Protection Decree organisations owning information systems intended for processing of personal data are obliged to notify the OAC on the conditions of technical information protection of such systems.

Last modified 12 Jan 2021
Data Protection Officers

The Data Protection Law does not provide for a general requirement on compulsory appointment of a data protection officer.

In the meantime, a legal entity, including state body, processing personal data shall create information protection systems to secure information in their information systems used for processing of such data. As a part of creation of such system the entity should establish special department or appoint employee responsible to take required technical and cryptography information protection measures. According to the recent amendments to the Information Protection Decree, the employees of such department (responsible employee) are required to have higher education in the sphere of information protection security or other higher or professional-technical education and undergo training on the issues of technical and cryptographic information protection.

If for some reasons respective departments / employees cannot take such measures themselves, a special organisation licensed to perform activities on technical and / or cryptography information protection may be involved.

The draft Law on Personal Data Protection (if adopted in its currently available version) will oblige a personal data operator to designate a special organisational unit (department, division, etc.) or appoint a person responsible to arrange collection, processing, distribution and provision of personal data.

Last modified 12 Jan 2021
Collection & Processing

Collection and processing of personal data shall be performed:

  • Only with a written consent of personal data subject
  • In information systems secured with the information protection systems attested in the procedure established by the OAC (technical and cryptographic information protection means certified in accordance with Belarus law shall be used for creation of such information protection system)
  • Having implemented certain legal, organisational and technical measures for personal data protection

The legal measures may include concluding agreements with an individual whose personal data are collected and processed. Such agreements should stipulate the terms of personal data usage, as well as liability of parties for breach respective terms.

The organisational measures may include establishing a special entrance regime to the premises used for collection and processing, designation of employees who can have an access to such premises and data, and differentiation of access levels to respective information.

The technical measures may include using cryptography, technical means and other possible measures of control over information protection.

Last modified 12 Jan 2021
Transfer

According to the Data Protection Law, transfer of personal data can be performed only with written consent of the personal data subject. Disclosure of personal data unauthorised by the personal data subject is possible in situations explicitly provided by the laws. For example, according to the Tax Code Belarusian tax authorities may receive personal data without consent of respective personal data subjects to maintain the State Register of Taxpayers. Currently there are no specific requirements established for transfer of personal data from Belarus to abroad.

In practice, the organisations processing personal data (including those of their employees, clients, etc.) may take certain legal, organisational, technical and other measures to prevent illegal distribution of personal data and comply with the Data Protection Law requirements.

Should the draft Law on Personal Data Protection be adopted in currently available version, cross-border transfer of personal data will become specifically regulated. According to the general rule provided by the draft, cross-border transfer of personal data to the countries not ensuring sufficient measures of personal data protection is prohibited. There are certain exceptions, when transfer to these jurisdictions will be allowed. For example, upon respective consent of the personal data subject or under the individual permit for cross-border transfer issued the data protection authority.

Last modified 12 Jan 2021
Security

The owners of the information systems should take appropriate technical, legal and organizational measures to secure personal data processed in their information systems. The key technical measure is creation of the information protection system to secure the information system of an entity intended for processing of personal data. The information protection system shall be attested according to the procedure established by the OAC.

Last modified 12 Jan 2021
Breach Notification

Mandatory breach notification

There is no general requirement under Belarusian law to notify personal data subject or any state authority of a data breach, including in case of unlawful disclosure or use of personal data.

Certain requirements on the notification of the OAC are set for specific cases of information protection system breaches or periodical reporting as required by Belarus law. The respective requirements are set forth in the Regulations on the procedure for submitting information about information security events, the state of technical and cryptographic protection of information to the OAC, as approved by the Order of the OAC of 2 February 2020 No. 66.

Should the draft Law on Personal Data Protection be adopted in its currently available version, it will establish an obligation to notify data protection authority on breach of systems used for personal data protection immediately, but not later than within three days. Exceptions from this requirement may be established by the data protection authority.

Last modified 12 Jan 2021
Enforcement

The key authority involved in enforcement of the Data Protection Law is the OAC. The OAC is entitled to perform inspections of the state and conditions of technical and cryptographic protections measures used by the owners of information protection systems used for personal data processing. If any violation is revealed, the OAC may issue (i) order on the rectification of the violation and / or (ii) order on the suspension (termination) of information processing in the information system.

Criminal and administrative liability may apply in certain situations associated with unlawful disclosure and violations in processing of personal data.

The Criminal Code do not establish a general liability for unlawful disclosure of personal data. In the meantime, for intentional disclosure of adoption secrecy, a person could be sentenced to community works, criminal fine (in amount from 30 to 1,000 base units; 1 base unit equals BYN 29 as of 1 January 2021), or corrective works for the term up to one year. For unlawful collection or distribution of information regarding private life that is personal or family secrecy of another person without his / her consent (depending on certain circumstances), a person could be sentenced to community works, criminal fine, arrest, restriction or deprivation of liberty for up to three years.

The Administrative Offence Code provide for the liability for intentional disclosure of personal data by a person, who became familiar with this information in connection with his/her professional activity (if such disclosure does not fall under criminal sanctions). For this violation the infringer could be called to the fine in amount from 4 to 20 base units.

The Administrative Offence Code also prohibits certain violations associated with breach of computer systems or unlawful usage of systems intended for data processing. For example, for usage of information systems (including those used for processing of personal data) and data protection means not attested under applicable technical regulations (standards) in case attestation is obligatory a person / entity can be called to administrative fine with (or without) confiscation of the information protection means used. The approximate amount of fine is 5-20 base units – on a person, 10-20 base units – on an individual entrepreneur, 100-200 base units – on a legal entity.

Also the Parliament may consider in this session the draft Code of Administrative Offences stipulating specific sanctions for personal data processing violations, inter alia:

  • Intentional illegal processing of personal data of an individual without his/her consent or violation of his/her rights related to the processing of personal data may cause a fine up to 15 base units;
  • Non-compliance with requirements on data protection measures implementation may cause a fine ranging from 20 to 50 base units for legal entities.
Last modified 12 Jan 2021
Electronic Marketing

Electronic marketing is subject to the rules established by the Law on Advertising of 10 May 2007 No. 225-Z (Advertising Law) and the Law on Mass Media of 17 July 2008 No. 427-Z (Mass Media Law).

According to the general rule of the Advertising Law names, pen-names, images or expressions of Belarusian citizens cannot be used in advertisements without their consent or consent of their authorised representatives. At the same time, advertisements about goods (work, services) offered by an individual entrepreneur shall contain information about his / her initials and surname.

Distribution of advertisements by telecommunication means (e.g. telephone, telex, facsimile, mobile telephone communications, email) can be performed only with the consent of respective subscriber or addressee. The advertisement distributor is obliged to immediately stop advertising to subscriber or addressee upon his / her demand.

Individuals whose rights have been violated as a result of creation and / or distribution of an advertisement are entitled to protect their rights in court proceedings.

According to the Mass Media Law, information about person’s personal life or audio, video records and photos of a person can be distributed in mass media as a general rule only with consent of such person or his / her authorised representative.

Last modified 12 Jan 2021
Online Privacy

Belarus law does not specifically regulate online privacy. General requirements on personal data protection apply.

Certain specific online privacy requirements can be established under the legislation. For example, personal data of a person, who is a domain name administrator, can be disclosed in online WHOIS service of Belarusian domain zone only with consent of such person. However, consent is not required if the domain name was registered in the name of an individual entrepreneur.

Last modified 12 Jan 2021
Contacts
Kirill Laptev
Kirill Laptev
Senior Associate
Sorainen
T +375 17306 2102
Pavel Lashuk
Pavel Lashuk
Associate
Sorainen
T +375 17 306 2102
Last modified 12 Jan 2021