Prior to the enactment of the PDP Law, the main law governing data protection in Belarus was the Law of 10 November 2008, No. 455-Z, on Information, Informatization and Protection of Information ('the Law on Information'), which imposes general obligations on personal information held and used by information system operators and outlines requirements for the collection, processing, transfer, and storage of information. The Law on Information, however, does not specifically address a number of key data protection considerations, nor does it include data breach notification requirements or enhanced protections for sensitive data.

The issues presented by the Law on Information were the focus of the PDP Law, Belarus' first comprehensive data protection law. In particular, the PDP Law aims to ensure the protection of the rights and freedoms of individuals when processing personal data. The PDP Law also outlines a number of key definitions, including 'personal data' and 'special personal data,' and details the procedures for the cross-border transfer of data, among other things¹.

Key definitions and general requirements

The PDP Law introduces general definitions and terms that are similar to those found in the GDPR. These include definitions of the following terms; operators, authorised persons, personal data, special personal data, and depersonalisation (Article 1 of the PDP Law).

For instance, the PDP Law states that 'special personal data' is data that relates to information on race, nationality, political views, membership in trade unions, religious or other beliefs, health, or sex life, administrative or criminal prosecution records, and biometric or genetic personal data, and provides enhanced protections for the same (Article 1 of the PDP Law).

Moreover, the definitions of 'operator' and 'authorised person' are analogous to the definitions of 'data controller' and 'data processor' within the GDPR respectively. An 'operator' is defined as a state body, a legal entity of the Republic of Belarus, an organisation, or an individual, including an individual entrepreneur, independently or jointly with other specified persons organising and/or carrying out the processing of personal data. Furthermore an 'authorised person' is defined as a state body, a legal entity of the Republic of Belarus, an organisation, or an individual that, in accordance with an act of legislation, a state body decision, or on the basis of an agreement with an operator, processes personal data on behalf of the operator or in the interests thereof.

In addition, the PDP Law provides general requirements for the processing of personal information including lawfulness, proportionality, data minimisation, transparency, among others (Article 4 of the PDP Law).

Legal bases

The PDP Law establishes consent as the primary legal basis for the collection and processing of personal information.

Similar to the GDPR, the consent of the data subject must be a free, unambiguous, and informed expression of their will, through which the processing of their personal data is permitted, with such consent being obtained either in writing, electronic document, or another electronic form, such as email (Article 5 of the PDP Law).

Several exceptions exist to the requirement of consent, these include (Article 6 of the PDP Law):

• the existence of an agreement with the data subject;
• for the protection of the vital interests of a data subject;
• an indication of personal data in a document addressed to the operator and signed by the data subject;
• previously disseminated personal data unless the data subject communicates their withdrawal of consent;
• administrative and/or criminal proceedings, justice, or execution of court orders;
• to facilitate authorised activities of state bodies;
• personal information processed under the principles of national security, the fight against corruption, or the prevention of money-laundering;
• for scientific or other research purposes, subject to the mandatory pseudonymisation of personal data; and
• professional activities of a journalist or a media.

Operator obligations

Cross border data transfers

The PDP Law establishes similar requirements to the GDPR on data transfers outside of Belarus, for instance, an operator will need to ensure that the country to which personal information is being transferred provides a sufficient level of protection, otherwise such a transfer is generally prohibited, except for in certain circumstances (Article 9 of the PDP Law).

At the moment of writing, there is neither a list of the countries providing the sufficient level of protection, nor an explanation of the term 'sufficient level', under the PDP Law. It is expected that the National Data Protection Center ('the Centre') will produce a list of countries providing a sufficient level of data protection in due course

Further to the above, the PDP Law provides that personal data can be transferred to jurisdictions that do not provide an adequate level of data protection in the following circumstances, among others, where (Article 9(1) of the PDP Law):

• the consent of the data subject is given, provided that the data subject is informed about the risks arising from the lack of the appropriate level of their protection;
• personal data is obtained on the basis of an agreement concluded with the subject of personal data, in order to perform actions, established by this agreement;
• personal data can be obtained by a person sending a request in cases and in the manner prescribed by law
• such transfer is necessary to protect life, health, or other vital interests of the subject of personal data or other persons, and obtaining the consent of the data subject is impossible;
• the processing of personal data is carried out as part of the execution of international treaties of the Republic of Belarus;
• such transfer is carried out by the financial monitoring body in order to accept measures to prevent money laundering, terrorist financing and proliferation financing weapons of mass destruction in accordance with the law; or
• the relevant permission of the authorised body for the protection of rights has been obtained data subjects.

Data breaches

Under the PDP Law an operator is obliged to inform the Centre of any breach of personal data protection systems immediately, but in any case not later than within three days. Exceptions to this requirement may be established by the Centre (Article 16 of the PDP Law).

Vendor management

The PDP Law requires operators who engage another entity for the processing of personal data to have an agreement in place (Article 7 of the PDP Law). The agreement must contain prerequisites established by the PDP Law, including, setting out in a list the actions to be performed by the authorised entity, the reason and purpose of the data processing, the obligations to keep personal data confidential, and must establish measures for the protection of personal information in accordance with Article 17 of the PDP Law .

Data subject rights

The PDP Law establishes the following data subject rights (Chapter 3 of the PDP Law):

• Right to be informed
• Right to access
• Right to rectification
• Right to erasure
• Right to object
• Right to claim compensation

Notably, the data subject has the right to appeal to the Centre in the manner established by the legislation. To this end, decisions adopted by the Centre can also be appealed by the data subject in court in the manner prescribed by law.

Data protection authority

On 28 October 2021, the Centre in Belarus was established as the authorised body for the protection of data subjects' rights. The Centre is tasked with verifying the compliance of operators and processors with the PDP Law, Specifically, the Centre has the power to require companies to remedy identified violations of the PDP Law and to terminate the personal data processing if the protection of the rights of personal data subjects cannot be ensured.

In addition, the Centre must establish awareness and training to educate both the public and organisations on the topic of personal data protection.

Sanctions

The PDP Law and discussions leading to its signing to law, highlighted the importance of legislation with administrative and criminal liability for violations of its provisions.

In particular, amendments were introduced to the Code of Administrative Offences, to include four offences related to personal data protection which reflect the PDP Law, these include:

• the intentional and unlawful collection or processing of personal data of an individual or a violation of their rights related to the processing of personal data;
• the intentional and unlawful collection or processing of personal data of an individual or a violation of their rights related to the processing of personal data, by a person who has accessed said personal data due to their job;
• the intentional and unlawful distribution of personal data; and
• the lack of compliance with the provision of the measures for personal data protection. These fines are imposed by the court based on the protocols issued by the police.

In addition, amendments were made to the Criminal Code, particularly, where non-compliance with the measures for personal data protection resulting, through negligence, in the distribution and causing serious consequences to a data subject may lead, inter alia, to one year imprisonment or two-year limitation of freedom.

Lastly, the PDP Law gives power to data subjects to claim compensation for damage, including moral damage, caused by the violation of their rights (Article 19 of the PDP Law).

Theo Stylianou Privacy Analyst
[email protected]