The Law «On the Protection of Personal Data»: Principles and Procedures for Working with Personal Data
A new law in the field of regulating the protection of personal data was adopted in the Republic of Belarus. The law “On the Protection of Personal Data” was officially published on May 14, 2021. According to the provisions of the legislation of the Republic of Belarus, this law comes into force 6 months after its publication, respectively, in November 2021. This is the first law dedicated exclusively to the protection of personal data in the Republic of Belarus.
This Law is the foundation for ensuring the protection of the rights and freedoms of individuals in connection with the processing of their personal data, defines the principles and procedures for working with personal data, unifies the processing of personal data and establishes guarantees against the illegal distribution, provision and use of personal data of individuals, both in particular and in general.
Definition of personal data and its categories
The first thing to pay attention to – the Law introduces the definition of personal data.
Personal data is any information related to an identified or identifiable individual.
This definition now covers a wider range of information, in contrast to the previously exhaustive list of information included in the population register in accordance with the Law of the Republic of Belarus “On the Population Register” dated July 21, 2008 No. 418-Z.
Categories of personal data
Personal data is divided into:
- publicly available personal data;
- sensitive personal data (including, but not excluding biometric and genetic personal data);
- other personal data.
The division into categories of personal data will allow to divide information resources containing such data and will be the basis for determining the requirements for their protection.
Please note that a special category of data has been allocated: sensitive personal data.
Sensitive personal data – personal data related to race or nationality, political views, membership in trade unions, religious or other beliefs, health, or sexual life, administrative or criminal prosecution, as well as biometric and genetic personal data.
Personal data processing
The law establishes the definition of personal data processing.
Personal data processing – any action or set of actions performed with personal data, including the collection, systematization, storage, modification, use, depersonalization, blocking, distribution, provision, deletion of personal data.
Personal data processing covers all ways and possibilities of using the personal data received.
In turn, the processing of sensitive personal data is allowed only if a set of measures is taken to prevent the risks that may arise during the processing of such personal data for the rights and freedoms of personal data subjects.
Purposes of personal data processing
The law establishes restrictions on the admissibility of the collection and processing of personal data.
The personal data processing must be proportionate to the stated purposes and ensure at all stages of such processing a fair balance of the interests of all parties involved.
The personal data processing should be limited to the achievement of specific, pre-stated legitimate goals. The processing of personal data that is incompatible with the originally stated purposes of processing is not allowed.
Prior to any arising need to change the declared purposes of personal data processing it is required to obtain the consent of the personal data subject in accordance with the changed purposes of personal data processing in the absence of other grounds for such processing provided for by Law and other legislative acts.
Personal data protection: specific nature of its ensuring
The Law reflects the essential and fundamental requirements imposed for the purpose of determining the specific nature of personal data protection, namely:
- requirements for personal data processing;
- consent of the personal data subject and other grounds for the purposes of personal data processing;
- the rights of the personal data subject and the obligations of the operator, the principles of protection;
- measures to ensure the protection of personal data;
- authorized body for the protection of the rights of personal data subjects;
- responsibility for violation of the Law.
Consent to processing and basic requirements for companies
A mandatory condition before starting the processing of personal data is to obtain consent to the processing of personal data from the personal data subject (the individual in respect of whom the personal data is processed).
The consent of the personal data subject can be obtained in writing, in the form of an electronic document or in another electronic form, which especially simplifies the process due to the rapidly developing business in a remote operation mode.
The necessary measures to ensure the protection of personal data and mandatory for companies to comply with are:
- appointment of a person responsible for internal control over the processing of personal data;
- publication of documents defining the policy of the operator (authorized person) regarding the processing of personal data;
- familiarization of employees of the operator (authorized person) and other persons directly engaged in personal data processing with the provisions of the legislation on personal data, including the requirements for the protection of personal data, documents defining the policy of the operator (authorized person) regarding personal data processing, as well as training of these employees and other persons in accordance with the procedure established by law;
- establishing the procedure for accessing personal data, including those processed in an information resource (system);
- provision of technical and cryptographic protection of personal data in accordance with the procedure established by the Operational and Analytical Center under the President of the Republic of Belarus, in accordance with the classification of information resources (systems) containing personal data.
Responsibility
Persons who have violated the provisions of the Law are liable under the legislative acts of the Republic of Belarus:
- intentional illegal collection, processing, storage, or provision of personal data of an individual or violation of his/her rights related to the personal data processing – entail the imposition of a fine in the amount of up to fifty basic units.
- intentional illegal collection, processing, storage, or provision of personal data of an individual or violation of his/her rights related to the personal data processing, committed by a person who knows personal data in connection with his professional or official activities – entail the imposition of a fine in the amount of four to one hundred basic units.
- intentional illegal dissemination of personal data of individuals – entails the imposition of a fine in the amount of up to two hundred basic units.
- failure to comply with measures to ensure the protection of personal data of individuals – entails the imposition of a fine in the amount of two to ten basic units, on an individual entrepreneur – from ten to twenty – five basic units, and on a legal entity-from twenty to fifty basic units.
Moral damage caused to the personal data subject as a result of violation of his/her rights established by Law is subject to compensation. Compensation for moral damage is carried out independently of compensation for property damage and losses incurred by the personal data subject.
The Law “On the Protection of Personal Data” and the GDPR (General Data Protection Regulation)
The adopted Law “On the Protection of Personal Data” is close to European standards in terms of personal data protection.
GDPR is a general regulation on the protection of personal data in the European Union, effective from May 25, 2018.
There are many new concepts that are essentially identical to the norms of European legislation:
- personal data subject (GDPR – data subject) – an individual in respect of whom personal data is processed;
- operator (GDPR – controller) – a state body, a legal entity of the Republic of Belarus, another organization, an individual, including an individual entrepreneur (hereinafter, unless otherwise defined, – an individual), independently or jointly with other specified persons organizing and (or) processing personal data;
- authorized person (GDPR – processor) – a state body, a legal entity of the Republic of Belarus, another organization, an individual who, in accordance with an act of legislation, a decision of the state body that is the operator, or on the basis of an agreement with the operator, process personal data on behalf of the operator or in his interests;
- the authorized body for the protection of the rights of personal data subjects (GDPR – data protection authority) – the body is planned to be created within 3 months. The competence of this body will cover: taking measures to protect the rights of personal data subjects when processing personal data; monitoring the personal data processing by operators; determining the list of countries with an appropriate level of protection of the rights of personal data subjects and issuing permits for cross-border transfer, etc.
In the conditions of developing business both within the country and abroad, the Law “On the Protection of Personal Data” and the GDPR are closely linked in their processes and regulation of personal data protection as a complex.
If the company is registered and operates in the Republic of Belarus, it must comply with the GDPR requirements if they process personal data of individuals located in the territory of the European Union.
You can learn more about the specifics of the regulation of personal data protection in the European Union and the impact of the GDPR on the business of Belarusian companies here.
We can help
Our specialists can help your business in all aspects of legal advice in terms of personal data protection at all stages of business activities, including, but not limited to:
- analysis of your company’s processes for compliance with the requirements of the Law;
- evaluating the effectiveness of the personal data protection model implemented in your company or preparing a model in case of its lacking;
- preparation of draft contracts/agreements/consents in the field covering personal data protection;
- preparation of the necessary policies for complying with the provisions of the Law;
- training of your employees on mastering the new rules for working with personal data;
- implementation of processes to optimize the work on personal data protection.
Experts:
Ekaterina Kostinevich
Partner / Tax&Legal, Business process outsourcing
Angelina Satsuk
Associate