Data Protection Law in Belarus:Safeguarding Personal Data in Belarusian Legislation

While GDPR applies to EU member countries and others under the EEA, data protection in BeBelarus is not directly subject to the General Data Protection Regulation of the European Union. The GDPR applies to EU member states and entities processing personal data of individuals within the EU. Since Belarus is not part of the EU, it is not bound by the GDPR's regulations.

However, Belarus has its own data protection laws, such as the Belarus Data Protection Act, which regulates the processing of personal data within the country. Businesses operating in Belarus need to comply with the local data protection regulations, including the requirements set forth in the Belarus Personal Data Protection (PDP) Law.

What is the Belarus Data Protection Act?

Belarus introduced the Law on the Protection of Personal Data (PDP Law), which entered into effect on November 15, 2021. Based on principles similar to the EU's GDPR, the PDP Law aims to safeguard individuals' rights when their personal information is processed. This analysis will delve into the key provisions of the PDP Law.

Prior to the PDP Law, Belarussian data protection was governed by the Law on Information, Informatization and Protection of Information (Law on Information) of 2008. While this law established general obligations for information system operators, it lacked specific data protection provisions. Key omissions included data breach notification requirements and robust safeguards for sensitive data.

To address these shortcomings, the comprehensive PDP Law was enacted in 2021. This legislation prioritizes individual rights in data processing, provides clear definitions for personal and special personal data, and outlines procedures for cross-border data transfers.

Is the Belarus Personal Data Protection Law applicable to my business?

The Belarus PDP Law applies to businesses that engage in the collection, processing, storage, or provision of personal data within the territory of Belarus.

1. Businesses based in Belarus: If your business is headquartered or has a physical presence in Belarus, the PDP applies to your operations there.
2. Processing data of Belarusian residents: Even if your business is located outside Belarus, you must comply with the PDP if you process personal data of individuals residing in Belarus.

What is personal data under the Belarus PDP Law?

Personal data under the Belarus PDP Law encompasses any information linked to an identifiable individual.

This includes a wide range of details such as names, addresses, contact information, financial data, and even biometric or health records. The law differentiates between standard personal data and more sensitive categories like genetic or biometric information, imposing stricter safeguards on the latter.

What is sensitive data under the PDP Law?

The PDP Law does not define 'sensitive data' but defines 'special personal data' as personal data related to race or nationality, political views, membership in trade unions, religious or other beliefs, health or sex life, administrative or criminal prosecution, as well as biometric and genetic personal data.

What are the duties of data controllers and data processors?

The Belarusian PDP Law uses a different terminology compared to other data protection regulations like the GDPR.Instead of "data controller" and "data processor," it employs the terms "operator" and "authorized person."

You, as a business owner, are most likely considered an operator. This means you hold the reins when it comes to your customers' personal data. You determine the reasons for collecting and processing the data, as well as the methods used.For instance, you decide whether to collect email addresses for marketing purposes or to process purchase history for customer segmentation.

On the other hand, an authorized person is essentially a service provider or contractor you hire to handle the data on your behalf. They follow your instructions but don't dictate how the information is used. For example, a cloud storage provider or a customer relationship management (CRM) platform might be considered authorized persons.

Understanding these roles is crucial because it clarifies who is responsible for ensuring compliance with data protection regulations. As the operator, you bear the primary responsibility for safeguarding your customers' data and meeting the requirements of the PDP Law.

Do we need consent to process personal data?

Consent is key. To use someone's personal data, you usually need their clear permission. This means they freely agree to let you process their information. You can get consent in writing, electronically, or even through a text message.

Before getting consent, you must be completely open with your customers about what you'll do with their data. Tell them who you are, why you need their data, exactly what information you'll collect, how long you'll keep it, and what you'll do with it. Explain their rights in simple terms, and let them know what happens if they say yes or no.

Remember: It's your responsibility to prove that your customers actually gave you permission. Also, they can change their mind anytime without giving a reason.

Do we need a privacy policy?

Even though the Belarusian PDP Law doesn't specifically say you need a privacy policy, it's a really good idea to have one.

A privacy policy is like a public commitment to your customers about how you handle their personal information. It shows them that you care about protecting their data, which builds trust.

By clearly explaining what information you collect, why you need it, and how you keep it safe, you can improve your relationship with customers and reduce your legal risks.

What are the data subject rights under the Belarus Personal Data Protection Law?

The Belarus Personal Data Protection Law grants individuals specific rights to control their personal information. These rights include:

• Right to be informed: Individuals have the right to know how their data is being processed, including the purposes, data retention periods, and any data sharing activities.
• Right to access: Individuals can request information about their personal data held by an organization, including the right to obtain copies of this data.
• Right to rectification: If personal data is inaccurate or incomplete, individuals have the right to request corrections.
• Right to erasure: In certain circumstances, individuals can request the deletion of their personal data.
• Right to object: Individuals can object to the processing of their personal data for specific reasons, such as direct marketing.

While the PDP Law does not explicitly include rights like data portability or the right to be forgotten, it does provide a foundation for individuals to exercise control over their personal information.

How to respond to data subject requests

Effectively handling data subject requests is crucial for compliance with the Belarus Personal Data Protection Law (PDP Law). Here's a general outline of steps to follow:

1. Acknowledge Receipt: Promptly acknowledge receipt of the request, informing the data subject of the timeframe for a response.
2. Verify the Data Subject's Identity: Implement procedures to verify the identity of the individual making the request to protect against unauthorized access.
3. Determine the Scope of the Request: Clearly understand the specific information the data subject is seeking or the action they are requesting.
4. Locate Relevant Data: Access and retrieve the necessary personal data from your systems.
5. Assess the Request: Evaluate the request against the provisions of the PDP Law and determine if you can fulfill it. Consider legal obligations, contractual restrictions, and legitimate interests.
6. Provide Information or Take Action: If the request is for access or rectification, provide the requested information or make the necessary corrections within the specified timeframe. If the request is for erasure or objection, process it according to the law and inform the data subject of the outcome.
7. Maintain Documentation: Keep records of all data subject requests and your responses.

What are the international data transfer requirements?

Belarus imposes strict rules on sending personal information outside the country. Generally, you can only transfer data to countries deemed to have strong data protection laws. There's a list of approved countries maintained by the Belarusian government. Transferring data to countries not on this list is usually prohibited.

However, there are exceptions. In some cases, you might be able to transfer data to countries not on the approved list if you have the individual's explicit consent or if specific laws allow it. Recently, Belarus has eased restrictions for data transfers within the Eurasian Economic Union (EAEU) countries.

It's crucial to understand these regulations and obtain necessary permits to avoid legal issues. Transferring data without proper authorization can lead to significant penalties.

What are the data breach requirements?

If your business suffers a data breach involving personal information, you have a strict obligation to report it to the Belarusian data protection authority within 72 hours. This includes incidents where data is lost, stolen, or accessed without authorization. While the number of affected individuals doesn't impact the reporting requirement, the severity of the breach will determine the actions you need to take.

Beyond the mandatory notification to the data protection authority, certain types of breaches may require additional reporting to other government agencies. For instance, if your business handles sensitive information like trade secrets,specific reporting obligations might apply.

It's crucial to have a robust incident response plan in place to effectively manage data breaches. This plan should outline steps for identifying, containing, investigating, and reporting breaches, as well as communicating with affected individuals and regulatory authorities.

Do we need to conduct DPIA?

While the Belarusian PDP Law doesn't explicitly require a formal Data Protection Impact Assessment (DPIA), it's clear that you need to be aware of the potential risks involved in handling personal data. For example, when dealing with sensitive information, you should put extra safeguards in place.

Additionally, if you're sending personal data to countries with weaker data protection standards, you need to inform your customers about the potential risks involved. This transparency is crucial for building trust.

Who enforces the Belarus PDP Law, and what are the penalties?

The National Personal Data Protection Center (NPDPC) is the primary authority responsible for overseeing data protection in Belarus. They're tasked with making sure businesses comply with data protection laws.

While the NPDPC is the main player, other government bodies also have a role. The President and the Council of Ministers set the overall direction for data protection in the country.

If you mishandle personal data in Belarus, you could face hefty fines. For instance, illegally collecting or sharing personal information could cost you up to EUR 2,050. Even accidental data leaks can result in fines of hundreds of dollars. Keep in mind that these are just the official penalties. You might also face lawsuits from affected individuals, which can lead to even higher costs.

How can Secure Privacy help you comply with the Belarus PDP?

Navigating the complexities of the Belarus Personal Data Protection law can be challenging. Secure Privacy's consent management platform offers a streamlined solution. By providing customizable cookie banners and consent mechanisms, Secure Privacy help businesses effortlessly capture lawful consent.

Schedule a demo with us today.