DLA Piper Intelligence

Data Protection
Laws of the World

Law

Belarus
Belarus

The main legal acts regulating personal data protection in Belarus are the Law on Information, Informatisation and Information Protection of November 10, 2008 No. 455-Z (Information Protection Law) and the Law on Population Register of July 21, 2008 No. 418-Z (Population Register Law).

We expect adoption of the Law on Personal Data in 2019. It will be the first Belarusian legal act intended specifically for regulation of personal data protection issues. The draft Law on Personal Data was prepared and in July 2018 published for public discussions.

The acts implemented within the framework of the Eurasian Economic Union (EEU) should also be taken into consideration, eg, the Protocol on Informational Communication Technologies and Informational Interaction within the Eurasian Economic Union, Annex 3 to the Treaty on the Eurasian Economic Union of May 29, 2014. Following the Decision of the Supreme Eurasian Economic Council of October 11, 2017 the member states of EEU are planning to develop the initiative on conclusion of the Agreement on Data Circulation within the Union (including on personal data protection). The initiative is one of measures aimed at implementation of the Main Directions for Implementation of the Digital Agenda of the Eurasian Economic Union until 2025.

Last modified 31 Jan 2019
Law
Belarus

The main legal acts regulating personal data protection in Belarus are the Law on Information, Informatisation and Information Protection of November 10, 2008 No. 455-Z (Information Protection Law) and the Law on Population Register of July 21, 2008 No. 418-Z (Population Register Law).

We expect adoption of the Law on Personal Data in 2019. It will be the first Belarusian legal act intended specifically for regulation of personal data protection issues. The draft Law on Personal Data was prepared and in July 2018 published for public discussions.

The acts implemented within the framework of the Eurasian Economic Union (EEU) should also be taken into consideration, eg, the Protocol on Informational Communication Technologies and Informational Interaction within the Eurasian Economic Union, Annex 3 to the Treaty on the Eurasian Economic Union of May 29, 2014. Following the Decision of the Supreme Eurasian Economic Council of October 11, 2017 the member states of EEU are planning to develop the initiative on conclusion of the Agreement on Data Circulation within the Union (including on personal data protection). The initiative is one of measures aimed at implementation of the Main Directions for Implementation of the Digital Agenda of the Eurasian Economic Union until 2025.

Last modified 31 Jan 2019
Definitions

Definition of personal data

According to the Information Protection Law, personal data consist of basic and additional personal data of an individual that are included in the population register, as well as other data enabling identification of certain individual. According to the Population Register Law basic personal data include the following types of information:

  • Personal ID-number
  • Name, second name, surname
  • Gender
  • Date and place of birth
  • Digital photo
  • Citizenship
  • Information regarding registration at the place of residence or stay
  • Information regarding death or recognition of a person to be dead, untraceable, incapable or partially capable

The list of additional personal is also indicated in Population Register Law and includes, inter alia, data on:

  • A spouse
  • Children
  • Relatives
  • Higher education
  • Military duty performance
  • Tax obligations

Belarus law does not define the notion of "other data enabling identification of certain individual." Arguably, mobile telephone number, email address, IP-address identifier could be recognized as personal data subject to certain conditions. However, there are no unified understanding on this issue among Belarusian researchers, as well as no confirmations based on court practice.

Definition of sensitive personal data

There is currently no concept of sensitive personal data under Belarus law.

The draft Law on Personal Data (in case adopted in currently available version) will introduce the definition of “special personal data.” Special personal data will include information about race, nationality, political, religious and other convictions, health and sexual activity; criminal conviction records; biometric and genetic personal data.

Last modified 31 Jan 2019
Authority

There are two main authorities involved in overseeing personal data protection issues: Operational and Analytical Centre under the Aegis of the President of the Republic of Belarus (the "Centre") and the Ministry of Communications and Informatisation of the Republic of Belarus (the "Ministry").

Should the draft Law on Personal Data be adopted in currently available version, special data protection authority will be designated in accordance with its provisions.

Last modified 31 Jan 2019
Registration

Belarusian law does not require any special registration for an entity / person to collect and process personal data or registration of a private information system (eg, database) used for processing of personal data. State information systems shall be registered regardless whether any personal data are processed in it or not. According to the Information Protection Law state information systems are information systems created and / or acquired at the expense of state or local budgets, state off-budget funds, or by state legal entities. Described registration can be performed for private owned information systems voluntarily. Registration is performed by specially authorized by the Ministry organization – SERUE “Institute of Application Software Systems.” One of the conditions for state registration of an information system is registration of all information resources included in such an information system.

Last modified 31 Jan 2019
Data Protection Officers

State bodies and legal entities which process personal data shall establish special departments or appoint employees responsible to ensure information protection. As a general rule, respective departments or appointed employees are responsible to take required technical and cryptography information protection measures. If for some reasons respective departments / employees cannot take such measures themselves, the head of a state body or a legal entity may involve a special organization licensed to perform activities on technical and / or cryptography information protection.

If the draft Law on Personal Data is adopted in its currently available version, a personal data operator which is a legal entity will be required thereunder to designate a special organizational unit (department, division, etc.) or appoint a person responsible of organization of collection, processing, distribution and provision of personal data.

Last modified 31 Jan 2019
Collection & Processing

Collection and processing of personal data must:

  • Be performed only with a written consent of personal data subject
  • Be performed in information systems equipped with information protection systems attested in the procedure established by the Centre (technical and cryptographic information protection means certified in accordance with Belarus law shall be used for creation of such information protection system)
  • Be performed having implemented certain legal, organizational and technical measures for personal data protection

The legal measures may include concluding agreements with an individual whose personal data are collected and processed. Such agreements should stipulate the terms of personal data usage, as well as parties liability for breach of such terms.

The organizational measures may include establishing a special entrance regime to the premises used for collection and processing, designation of employees who can have an access to such premises and data, and differentiation of access levels to respective information.

The technical measures may include using cryptography, technical means and other possible measures of control over information protection.

Last modified 31 Jan 2019
Transfer

According to the Information Protection Law, transfer of personal data shall be carried out with written consent of the personal data subject. Currently there are no specific requirements established for transfer of personal data from Belarus to abroad.

In practice, the employers receiving the personal data of their employees carry out possible measures (legal, organizational, technical, etc.) to prevent illegal distribution of personal data and comply with Information Protection Law requirements.

Should the draft Law on Personal Data be adopted in currently available version, cross-border transfer of personal data will become specifically regulated. For example, transfer of personal data to countries not ensuring sufficient personal data protection measures will be permitted only in limited number of cases, including inter alia with an individual permit of data protection authority.

Last modified 31 Jan 2019
Security

Appropriate technical, administrative and organizations security measures to secure personal data processed in an information system must be implemented.

Last modified 31 Jan 2019
Breach Notification

There are no general requirements under Belarusian law to report personal data protection breaches either to the state authorities, or the individuals whose personal data are concerned.

Certain requirements on notification of the Centre are set for specific cases of information protection system breach and inability to remove such breach within five working days.

Mandatory Breach Notification

There are no mandatory requirements under Belarusian law to report personal data protection breaches either to the state authorities, or the individuals whose personal data are concerned.

Certain requirements on notification of the Centre are set for specific cases of data protection system breach and inability to remove such breach within five working days.

Should the draft Law on Personal Data be adopted in its currently available version, it will establish obligation to notify data protection authority on breach of systems used for personal data protection immediately, but not later than within three days. This requirement will not cover minor breaches that could not lead to violation of the rights of personal data subject.

Last modified 31 Jan 2019
Enforcement

The key authorities involved in enforcement of the Law on Information Protection are the Ministry and the Centre.

Currently Belarusian law does not provide for any general liability for the breach of personal data protection requirements. Criminal and administrative liability can be applied for certain breaches related to data protection processing and violation of secrecy of person’s private information.

For example, under the Criminal Code for intentional disclosure of adoption secrecy, a person could be sentenced to community works, criminal fine (as a general rule approximate amount of criminal fine is €300-10,000 (as of January 11, 2019)), or corrective works for the term up to one year; for unlawful collection or distribution of information regarding private life that is personal or family secrecy of another person without his / her consent (depending on certain circumstances), a person could be sentenced to community works, criminal fine, arrest, restriction or deprivation of liberty for up to three years.

As to examples of administrative sanctions, under the Сode of Administrative Offenses for usage of information systems and data protection means not attested under applicable technical regulations (standards) in case attestation is obligatory a person / entity can be called to administrative fine with (or without) confiscation of the information protection means used. The approximate amount of fine in euro (as of January 11, 2019) is €50-200 – on a person, €100-200 – on an individual entrepreneur, €1000-2000 – on a legal entity.

Last modified 31 Jan 2019
Electronic Marketing

Electronic marketing is subject to the rules established by the Law on Advertising of May 10, 2007 No. 225-Z (the "Advertising Law") and the Law on Mass Media of July 17, 2008 No. 427 Z (Mass Media Law).

According to the general rule of the Advertising Law names, pen-names, images or expressions of Belarusian citizens cannot be used in advertisements without their consent or consent of their authorized representatives. At the same time, advertisements about goods (work, services) offered by an individual entrepreneur shall contain information about his/her initials and surname.

Distribution of advertisements by telecommunication means (eg, telephone, telex, facsimile, mobile telephone communications, email) can be performed only with the consent of respective subscriber or addressee. The advertisement distributor is obliged to immediately stop advertising to subscriber or addressee upon his/her demand.

Individuals whose rights have been violated as a result of creation and / or distribution of an advertisement are entitled to protect their rights in court proceedings.

According to the Law on Mass Media, information about person’s personal life or audio, video records and photos of a person can be distributed in mass media as a general rule only with consent of such person or his / her authorized representative.

Last modified 31 Jan 2019
Online Privacy

Belarusian law does not specifically regulate online privacy. General requirements on personal data protection are applicable.

Certain online privacy requirements can be established under the legislation. For example, personal data of a person, who is a domain name administrator, can be disclosed in online WHOIS service of Belarusian domain zone only with consent of such person. However, consent is not required if the domain name was registered in the name of an individual entrepreneur.

Last modified 31 Jan 2019
Contacts
Kirill Laptev
Kirill Laptev
Senior Associate
T +375 17306 2102
Anna Kasko
Anna Kasko
Associate
T +375 17 306 2102
Last modified 31 Jan 2019