A law specifically dedicated to personal data entered into force in Belarus on November 15, 2021.
The provisions of the new legal act will affect almost all companies, as they significantly change and clarify the regulation of the processing of personal data of customers, contractors and employees.
1. What is personal data?
Personal data - any information relating to an identified individual or an individual who can be identified (i.e. there is no exact list).
Personal data is divided into:
- publicly available (data disseminated by the subjects of personal data themselves or with their consent, or disseminated in accordance with the requirements of the law);
- special (data on race or nationality, political views, religious or other beliefs, health or sexual life, biometric personal data, etc.);
- genetic (inherited or acquired genetic characteristics of a person that contain unique data about his physiology or health).
2. What does the law regulate?
The document regulates:
- processing;
- spreading;
- provision of personal data.
Any person (individual or legal entity, including online stores, banks, etc.) that may carry out the above actions can be considered a subject to the law and be called «operator».
For reference:
Processing - any action or set of actions performed with personal data, including collection, systematization, storage, modification, use, depersonalization, blocking, distribution, provision, deletion.
3. Extraterritorial effect
Unlike the GDPR (entered into force on May 25, 2018 in all EU countries), which is extraterritorial in nature, i.e. its rules, subject to certain conditions, apply to non-residents of the European Union, the Belarusian law does not apply to the activities of foreign legal entities if the processing of personal data is carried out abroad.
The exception is representative offices of foreign organizations on the territory of Belarus.
4. What categories of persons are distinguished by the Law?
Operator - any entity that independently or jointly with someone organizes and (or) carries out the processing of data due to professional or entrepreneurial activities).
Authorized person - an entity that performs processing on behalf of the operator or in his interests in accordance with an act of legislation or on the basis of an agreement.
The subject of personal data - an individual in respect of whom the processing of personal data is carried out.
5. How to process personal data?
The first postulate of the law is the processing of the minimum amount of data necessary to achieve the goal. That is, not to collect personal data that is not necessary to achieve a specific goal.
The second postulate is that the processing of personal data is possible only on the basis of the obtained consent of the subject, with the exception of cases defined in the law (for example, when registering an employment relationship, in order to pay a pension, to protect life and health, if obtaining consent is impossible, and so on).
6. How to obtain consent?
Consent is obtained prior to the processing of personal data, is free, unambiguous, informed and must be obtained:
- in writing;
- in the form of an electronic document (by signing through an EDS);
- in a different electronic form (putting a check mark on an Internet resource, receiving an SMS message, a message to an e-mail address, etc.).
7. What measures should companies take?
The act obliges to take legal, organizational and technical measures to protect data from unauthorized or accidental access to them.
Mandatory measures:
1. Operator shall appoint a structural unit or a person responsible for organizing data processing;
2. Issuance of documents that will determine the processing policy, as well as local legal acts that set out procedures for finding and preventing violations, eliminating the consequences of such violations;
3. Familiarization of the operator's employees and other persons, who work with personal data, with the provisions of the law, local acts on data processing;
4. Establishing the order of access to data;
5. Implementation of technical and cryptographic data protection (data transmission via certified encrypted communication channels).
8. What are the penalties for violations?
Violations in the field of personal data are basis for brining to administrative and criminal liability. So, for example, intentional illegal collection, processing, storage or provision of data of an individual or violation of his rights related to processing entails a fine of up to 50 basic units, and failure to comply with measures to ensure the protection of personal data of individuals entails a fine for an individual entrepreneur - from 10 to 25 basic units, and for a legal entity - from 20 to 50 basic units.
For reference: 1 basic unit is 32 Belarusian rubles, which as of January 31, 2022 is about 11 euro.