From 15 November 2021 provisions aimed at data protection come into legal force in Belarus
The Law on data protection dated 7 May 2021 No. 99-Z (the “Law”) is aimed at ensuring protection of personal data (“PD”), rights and freedoms of individuals when processing their PD.
Personal data is any information relating to an identified (or identifiable) individual.
The main condition required to process PD is the consent of the PD subject that should be received by the operator. At the same time, PD operators include, for example, state authorities, legal entities of the Republic of Belarus, other companies, individuals (individual entrepreneurs), who independently or jointly with others mentioned above organize and (or) process PD. The Law sets forth the criteria under which consent is deemed to have been duly received. Thus, the consent of PD subject should be a free, clear, informed expression of their will, through which they allow processing of their PD. The purpose of processing should be commensurate with the purpose stated for processing as well as ensuring a fair balance of interests among all interested parties at all stages of processing. Purposes should be legal, specific, and specified in advance. In the case of changes in the originally specified purposes, the operator should receive a new consent. At the same time, storage of PD should not be longer than the specified purposes of PD processing require it.
Prior to receiving a PD subject’s consent, the operator has to inform the PD subject about the following:
At the same time, receiving the consent of a PD subject is not required in cases established by the Law.
Consent can be expressed in writing, in the form of an electronic document or in another electronic form (ticking off on an Internet resource, receiving a code to an e-mail address, by SMS).
PD to third parties can be transferred only on behalf of the operator or in its interests on the basis of agreement provided that it includes the conditions set forth by the Law. Cross-border transfer of PD is prohibited if there is no adequate level of data protection on the territory of a foreign state. However, the Law sets forth some exceptions. The list of countries providing an adequate level of protection of rights of PD subjects has not yet been determined. The list is expected to include countries that have ratified the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data No. 108 (concluded in Strasbourg on 28 January 1981).
The Law enshrines a set of rights granted to PD subjects, including the right to withdraw consent, the right to demand termination and/or deletion of PD processing, as well as the right to receive information about PD processing.
Illegal processing, violation of rights of a PD subject or PD protection rules may lead to administrative liability. Thus, an individual (director) or a company can be fined up to 200 basic units (approx. 2 050 Euro).
From entry into legal force of the Law, new duties are imposed on PD operators – legal related to receiving and processing of PD, such as appointing a person responsible for PD protection, bringing into line with the Law / developing company policy in the field of PD protection, familiarization and training of employees who directly process PD, etc.
From 15 November 2021, a new Ukaz of the President of the Republic of Belarus on measures to improve protection of personal data dated 28 October 2021 No. 422 also comes into legal force. This Ukaz establishes the National data protection center of the Republic of Belarus (NDPC) and also its competence and authority. The NDPC becomes an additional controlling authority in Belarus as far as it is empowered to control data processing by operators (authorized persons).
bnt Minsk office is here to provide legal assistance in drafting documents required to bring your company’s activities into compliance with the new legislation on data protection.
Source: National legal internet portal of the Republic of Belarus (NLIP), 13.05.2021, 2/2819.