Amendments to the Belarusian legislation on personal data processing

News, 18 October 2022
towfiqu barbhuiya fna5pazqhmm unsplash

On October 10, 2022, Law No. 209-Z “On Amendments to Laws on Personal Data Processing” (hereinafter referred to as the “Law”) was published.

The Law introduced amendments related to the processing of personal data (hereinafter — “PD”) to a number of other laws of the Republic of Belarus, namely:
– Law No. 133-Z of July 22, 2002 “On State Registration of Immovable Property, Rights to It and Transactions with it”;
– Law No. 418-Z of July 21, 2008 “On the Population Register”;
– Law No. 419-Z of July 21, 2008 “On the State Border of the Republic of Belarus”;
– Law No. 455-Z of November 10, 2008 “On Information, Informatization and Information Protection” (hereinafter — “the Law on Information”).

The amendments introduced by the Law generally do not establish new obligations for companies in Belarus compared to the Law of May 7, 2021 No. 99-Z “On Personal Data Protection” (hereinafter referred to as the “Law on PD Protection”), but are mainly aimed at bringing the previously mentioned legal acts into compliance with the legislation on PD protection.

It is important to note that outdated regulations on the processing of PD that do not fully comply with the Law on the Protection of PD are excluded from the Law on Information.

Therefore, now the concept of “Personal Data” is used only in the meaning provided for by the Law on the Protection of PD.
In addition, the provision on the requirement to obtain only written consent to the processing of PD is excluded from the Law on Information. In this matter, one should be guided by the provisions of the Law on the Protection of PD, which, in addition to writing, also allow the option “in the form of an electronic document or in another electronic form.”

Finally, when implementing measures to protect PD, companies should be guided not by the excluded Article 32 of the Law on Information, but by the much more detailed Article 17 of the Law on the Protection of PD.

Recall that the responsibilities for business in the field of PD protection include, in particular:

  • appointment of a person responsible for internal control over PD processing (does not apply to sole proprietors);
  • publication of documents defining the policy regarding the processing of PD;
  • familiarization of employees and persons directly involved in the processing of personal data with the provisions of the PD
  • legislation and local documents in this area, as well as training of these persons;
  • establishing the order of access to PD;
  • implementation of technical and cryptographic protection of PD.

If you have any additional questions or need advice in the field of IP and Data Protection, we will be glad to help.

Author: Matsvei Haradnik