PERSONAL DATA IN BELARUS. NOVATIONS

A law focused on the regulation of personal data entered into force in Belarus on November 15, 2021.

Its provisions will affect almost all companies, as they significantly change the regulation of the processing of personal data.

1. What is personal data?

Personal data is any information relating to an identified individual or an individual who can be identified (i.e. there is no exact list).

Personally identifiable information (“PII”) is divided into:

• publicly available (disseminated by the subjects themselves or with their consent);
• special (race or nationality, religious, health or sexual life, etc.);
• genetic (inherited or acquired genetic characteristics of a person).

2. What does the law regulate?

The act regulates:

• processing;
• spreading;
• provision of personal data.

Any person that may carry out the above actions can be considered as a subject to the law and can be called an ?operator?.

3. Extraterritorial effect

Unlike the GDPR (entered into force on May 25, 2018 in all EU countries), which has an extraterritorial action, the Belarusian law does not apply to the foreign legal entities if the processing of personal data is carried out abroad.

The exception is representative offices of foreign legal entities on the territory of Belarus.

4. What categories of persons are distinguished by the Law?

Operator - any entity that organizes and (or) carries out the processing of data due to professional or entrepreneurial activities.

Authorized person - an entity that performs processing on behalf of the operator or in his interests in accordance with an act of legislation or on the basis of an agreement.

The subject of PII - an individual in respect of whom the processing of personal data is carried out.

5. How to process personal data?

The first main rule of the law is to process the minimum amount of data for a certain purpose.?

The second main rule is that the processing of PII is possible only on the basis of the obtained consent of the subject, with the exception of cases defined in the law (e.g., when registering an employment relationship, to protect life and health, if obtaining consent is impossible, and etc.).

6. How to obtain consent?

The consent shall be obtained prior to the processing of personal data, be free, be unambiguous, be informative, and be expressed:

- in writing OR

- in the form of an electronic document (by signing through an EDS) OR

- in another electronic form (putting a checkmark on an Internet resource, a message to an e-mail address, etc.).

7. What regulation measures should companies take?

The act obliges to take legal, organizational and technical measures to protect data from unauthorized or accidental access to them.

Mandatory measures:

1. Operator shall appoint a structural unit or a person responsible for organizing data processing;

2. Issuance of documents that will determine the processing policy, as well as local legal acts that set out procedures for finding and preventing violations, eliminating their consequences;

3. Familiarization of the operator's employees and other persons, who work with PII, with the provisions of the law, local acts on data processing;

4. Establishing the order of access to data;

5. Implementation of technical and cryptographic data protection