November 2024

1. Governing Texts

Currently, Belarus is not a party to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108). The Law of May 7, 2021, No. 99-Z on Personal Data Protection (only available in Russian here) (PDP Law) sets out general principles of processing (including collection, storage, use, distribution, provision, and erasure) of personal data, provides for basic terminology in that field, defines the rights of data subjects as well as obligations of operators (similar to data controllers in the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR)).

The PDP Law introduces a data protection authority that is supposed to control data processing activities, the National Personal Data Protection Center (NPDPC), to take steps (including providing clarifications) to ensure the right application of the provisions of the PDP Law.

It is recommended to regularly monitor new legislation and guidelines, because the NPDPC is active in developing its approach to different issues faced in practice and communicating its position in public.

Nevertheless, there are a number of legislative amendments of technical character connected with personal data regulation. In particular, the Law of November 10, 2008, No. 455-Z on Information, Informatization and Protection of Information (only available in Russian here) (the Law on Information) stipulates, inter alia, the principle of personal data protection in relations connected with information, prohibition to demand the personal data of an individual, the right of the information user to familiarize with their personal data, etc. Despite that, the Law on Information mostly refers to the PDP Law as a basic regulation of personal data and its protection.

Below, we have concentrated on the key provisions of the PDP Law with certain references to the currently effective Law on Information.

1.1. Key acts, regulations, directives, bills

• The Constitution of the Republic of Belarus of 1994 (only available in Russian here)
• The Law on Information
• The PDP Law
• The Code of Administrative Offenses of the Republic of Belarus of January 6, 2021, No. 91-Z (only available in Russian here) (the Administrative Code)
• The Criminal Code of the Republic of Belarus of July 9, 1999, No. 275-Z (only available in Russian here) (the Criminal Code)

By adopting the PDP Law, Belarusian legislation provides for more systemic regulation of data processing activities, including key principles and terminology, data subject's rights and operator's obligations. In many aspects, the PDP Law follows the basic concept of the GDPR, including the main principles to ensure data privacy, however, it is not as detailed and mostly uses different terminology to the GDPR.

The Administrative Code stipulates sanctions (more detailed in the section on penalties) for illegal collection, processing, storage, or provision of personal data, as well as for failure to comply with measures to ensure the protection of personal data. In addition, the Criminal Code sets out penalties (more detailed in the section on penalties) for illegal actions in relation to personal data and failure to comply with measures to ensure the protection of personal data. In order to be imposed, such crimes must cause substantial harm and grave consequences.

1.2. Guidelines

Currently, the NPDPC has released several recommendations in certain spheres of personal data regulation. There are recommendations:

• for register of personal data processing (examples) (only available in Russian here);
• for drawing up a document defining the policy of the operator (authorized person) regarding the processing of personal data (only available in Russian here);
• on the processing of personal data in connection with labor (service) activities (only available in Russian here);
• on the relationship of operators and authorized persons in the processing of personal data (only available in Russian here); and
• on the application of legislation on personal data in the activities of institutions of secondary special and higher education (only available in Russian here).

Additionally, the NPDPC publishes its comments and guidelines in Question and Answer (Q&A) format on its official website.

1.3. Case law

Belarus case law is not a source of law per se; we are not aware of this being established in practice. In addition, court proceedings in regard to the protection of personal data have not been numerous, but the practice is being developed currently after new regulations in the sphere have come into force. A range of leakages were detected by the NPDPC between 2023 and 2024. Such leakages took place, for example, in the retail and banking spheres. Nonetheless, we see the possibility of bringing the cases before Belarusian courts since the PDP Law provides for, inter alia, compensation for moral damage caused by the violation of the data subject's rights.

This possibility is followed by the PDP Law, which provides for the processing of personal data without the data subject's consent in court proceedings. Nevertheless, the Civil Procedure Code of the Republic of Belarus of January 11, 1999, No. 238-З (only available in Russian here) stipulates that the court proceedings may be conducted in a closed manner at the request of one or both parties.

2. Scope of Application

2.1. Personal scope

The PDP Law provides for the following key roles of the parties involved in the collection, storage, use, distribution, provision, and erasure of personal data and ensuring data protection measures:

• a data subject;
• an operator;
• an authorized person that processes personal data on behalf of and in the interest of the operator;
• a person appointed by the operator (or the operator's organizational unit) responsible for internal control of the processing of the personal data (the Data Protection Officer) (DPO); and
• a state body specifically authorized to regulate personal data protection relations (e.g., the Data Protection Authority (DPA)).

2.2. Territorial scope

The PDP Law does not specifically address whether it has an extraterritorial effect; rather, general rules of the territorial scope of legal acts apply. The definition of the operator comprises 'other organizations' without clarification on whether foreign organizations processing the personal data of Belarusians are concerned.

According to the NPDPC's clarification, a non-Belarusian company acting in Belarus via its representative office can be qualified as an operator in part of the data processing activity of such representative office. At the same time, based on current approaches, the PDP Law should not apply to non-Belarusian companies having no corporate presence in Belarus (e.g., no extraterritorial effect similar to the GDPR).

It can be expected that the NPDPC will clarify the issue during the enforcement cases in a more detailed way and establish a unified approach in the future.

2.3. Material scope

The PDP Law covers the protection of personal data while the processing of such data is accomplished with the use of:

• automated means (tools); or
• non-automated means (tools), if such means (tools) provide the possibility of searching for personal data and (or) accessing personal data with the help of certain criteria (card indexes, lists, databases, logs, etc.).

Processing means any type of action or set of actions taken in relation to personal data, including collection, systematization, storage, modification, use, depersonalization, blocking, distribution, provision, or erasure of personal data.

The PDP Law will not apply to the processing of personal data that is:

• accomplished for exclusively personal use, not relating to professional and entrepreneurial activity; or
• related to state secrets.

3. Data Protection Authority | Regulatory Authority 

3.1. Main regulator for data protection

The NPDPC functions as the DPA. The NPDPC's establishment has been formalized by the PDP Law and Regulation On National Personal Data Protection Center approved by Presidential Edict of October 28, 2021, No. 422 (only available in Russian here).

At the same time, general governance in the sphere of information protection is performed by the President of the Republic of Belarus (the President) and the Council of Ministers of the Republic of Belarus (the Council of Ministers). They lay down basic requirements, as well as determine and ensure a unified state policy on data protection.

The Belarusian DPA is responsible for taking measures to ensure the protection of data subjects' rights. It is declared as a body acting independently based on the PDP Law and other legislation.

In general, the following state authorities are involved in regulating data and data protection issues:

• the Operational and Analytical Centre under the President of the Republic of Belarus (OAC); and
• the Ministry of Communications and Informatization of the Republic of Belarus (the Ministry of Communications).

Compliance with the legislative requirements related to the protection of confidentiality on certain types of data is controlled by authorized state bodies, for example, the National Bank of the Republic of Belarus with respect to banking secrecy, the Ministry of Justice with respect to attorney-client privilege, etc.

3.2. Main powers, duties and responsibilities

The PDP Law provides for the following duties of the DPA, inter alia:

• ensure processing of personal data in accordance with legal requirements;
• deal with data subjects' complaints;
• require operators (authorized persons) to modify, block, or erase inaccurate or illegally obtained personal data, eliminate other violations connected with personal data;
• indicate a list of foreign states where data transfers can be carried out;
• issue permits for the cross-border transfer of personal data, if a foreign state is not on the list;
• provide clarifications on personal data issues; and
• publish annually a report on its activities.

The DPA is empowered to request and receive any relevant information concerning the processing of personal data from state bodies, entities, and individuals in order to check the lawfulness of processing.

4. Key Definitions

The PDP Law provides for the following key definitions concerning data protection.

Data controller: The PDP Law does not define 'data controller' but defines an 'operator' as a state body, a legal entity of the Republic of Belarus, another organization, an individual, including an individual entrepreneur, independently or jointly with other specified persons organizing and (or) carrying out the processing of personal data.

Data processor: The PDP Law does not define 'data processor' but defines an 'authorized person' as a state body, a legal entity of the Republic of Belarus, another organization, an individual that, in accordance with an act of legislation, a decision of the state body that acts as the operator or on the basis of an agreement with the operator, processes personal data on behalf of the operator or in the interests thereof.

Personal data: Any information relating to an identified natural person or natural person who can be identified.

Sensitive data: The PDP Law does not define 'sensitive data' but defines 'special personal data' as personal data related to race or nationality, political views, membership in trade unions, religious or other beliefs, health or sex life, administrative or criminal prosecution, as well as biometric and genetic personal data.

Health data: The PDP Law does not define 'health data' but defines 'genetic personal data' as information related to the inherited or acquired genetic characteristics of a person, which contains unique data about their physiology or health and can be identified, in particular, when examining their biological sample.

Biometric data: Information characterizing the physiological and biological characteristics of an individual, which are used for their unique identification (fingerprints, palms, iris, characteristics of the face and its image, etc.).

Pseudonymization: The PDP Law does not define 'pseudonymization' but defines 'depersonalization' as actions as a result of which it becomes impossible without the use of additional information to determine the ownership of personal data to a specific subject of personal data.

Processing of Personal Data: Any action or set of actions performed with personal data, including collection, systematization, storage, modification, use, depersonalization, blocking, distribution, provision, and erasure.

5. Legal Bases

The PDP Law provides for a specific list of legal bases for the processing of personal data.

Generally, the processing of personal data is carried out based on the data subject's consent. Exceptions to that rule are stipulated by the PDP Law and other legislative acts.

5.1. Consent

The consent of the data subject is a free, unambiguous, and informed expression of their will through which the processing of their personal data is permitted.

The consent can be obtained in writing, in the form of an electronic document, or in another electronic form (e.g., via email or SMS).

Prior to obtaining the consent, the operator is obliged to provide the data subject with information concerning the processing of personal data, which includes, inter alia:

• the operator's name;
• the purposes of processing;
• a list of personal data;
• the period of consent; and
• a list of actions regarding personal data.

Further to this, the operator, prior to obtaining consent, is obliged to clarify to the data subject in plain and simple language their rights, the realization mechanism of such rights, and the consequences of giving consent or refusing to give it.

The burden of proving the data subject's consent lies upon the operator. The data subject has the right to withdraw their consent at any time and without giving reasons.

Exceptions to consent

A number of exceptions where the processing of personal data does not require the data subject's consent is stipulated by the PDP Law. Such exceptions include, inter alia:

• an agreement concluded (being negotiated) with the data subject;
• protection of the data subject's life, health, or other vital interests;
• indication of personal data in a document addressed to the operator and signed by the data subject;
• labor relations;
• previously disseminated personal data until the data subject objects to the processing thereof;
• administrative and (or) criminal proceedings, justice, and execution of court orders;
• control (supervision) activity of state bodies;
• national security, fight against corruption, prevention of money laundering;
• for scientific or other research purposes, subject to the mandatory depersonalization of personal data;
• notarial activities; and
• professional activities of a journalist or a media, etc.

5.2. Contract with the data subject

Please see the section on consent above.

5.3. Legal obligations

Please see the section on consent above.

5.4. Interests of the data subject

Please see the section on consent above.

5.5. Public interest

Please see the section on consent above.

5.6. Legitimate interests of the data controller

Not applicable.

5.7. Legal bases in other instances

Please see the section on consent above.

6. Principles

The principles of processing personal data are formulated by the PDP Law as the general requirements for processing. Such requirements include:

• legality of the processing of personal data, based either on the data subject's consent or law;
• proportionality of the processing in regard to the stated purposes of processing and respect of data subjects' interests;
• limitation of the processing of personal data by the specific legitimate purposes stated in advance;
• compliance of the content and scope of personal data with the stated purposes;
• transparency of the processing of personal data, implying the provision of data subjects with the relevant information;
• accuracy of the personal data processed by the operator and, if necessary, actualization of personal data; and
• limitation of the storage of personal data to the period required by the stated purposes of processing personal data.

7. Controller and Processor Obligations

7.1. Data processing notification

Generally, operators and their authorized persons are not required to notify the DPA of the processing of personal data. Nevertheless, the DPA is entitled to request and receive any information concerning the operators' and their authorized persons' compliance with data protection rules.

From January 1, 2024, operators submit the data on particular information resources (systems) containing personal data into the state-run resource 'Register of Personal Data Operators' (only available in Russian here). In general terms, information resources (systems) refer to databases.

Information resource (system) is subject to the indication in such register if it meets one of the following criteria:

• carries out the cross-border transfer of special personal data to countries not ensuring sufficient measures of personal data protection;
• processes biometric and/or genetic personal data;
• processes the personal data of more than 100,000 individuals; or
• processes the personal data of more than 10,000 individuals under the age of 16.

7.2. Data transfers

According to the general rule provided by the PDP Law, the cross-border transfer of personal data to countries not ensuring sufficient measures of personal data protection is prohibited. The list of 'adequate' countries is determined by the DPA.

The PDP Law provides for exceptions, where transfers are allowed to the jurisdictions that are not in the list defined by the DPA. For example, such cases include the consent of the data subject with due notification of the relevant risks or a permit for cross-border transfer issued by the DPA.

On December 26, 2022, the NPDPC announced that Order No. 114 On Changing the Order of the Director of the National Centre for the Protection of Personal Data of the Republic of Belarus, dated November 15, 2021 (only available to download in Russian here) (Order No. 114) had been signed and amends Order No. 14 'On Cross-Border Data Transfers' (only available in Russian here). Order No. 114 provides that Member States of the Eurasian Economic Union (EEU) should be added to the list of foreign countries that provide an adequate level of protection for the purposes of cross-border data transfers.

In addition, Order No. 114 outlines that data may still be transferred to countries not deemed to provide an adequate level of protection in the following circumstances:

• when the processing of personal data is necessary to fulfill obligations provided for by legislative acts; and
• when information regarding the activities of state bodies and organizations is uploaded onto the global internet by the State, or in cases where business entities provided that the Republic of Belarus, or an administrative-territorial unit, can determine the decisions made by these businesses.

Notably, Order No. 114 states that, for the aforementioned data transfers, operators do not need to submit a permit application to the NPDPC for the cross-border transfer of personal data.

In certain cases, Belarusian legislation requires the collection and storage of personal data in Belarus. For example, Law of July 17, 2008, No. 427-Z on Mass Media (only available in Russian here) (the Mass Media Law) obliges owners of websites used for disseminating mass information to collect and store certain identification data on users in Belarus if they can publicly post materials or comments on such websites. However, in our opinion, this obligation does not limit cross-border transfer and/or copying of personal data to servers located outside Belarus.

7.3. Data processing records

Belarusian law does not stipulate an obligation for operators and/or their authorized persons to maintain data processing records. However, there are certain obligations to report certain breaches of data protection systems.

7.4. Data protection impact assessment

The PDP Law does not explicitly require an impact assessment. However, certain requirements are formulated so that the operator should take potential risks into account (e.g., for the purpose of implementation of protection measures while processing special personal data). In addition, the operator must inform the data subject of the risks that may occur in connection with the transfer of personal data to jurisdictions where measures of personal data protection are insufficient.

7.5. Data protection officer appointment

An organization or other party processing information limited for distribution (including, among other things, personal data) in an information system is currently obliged to create an information protection system to secure information in the system. The information protection system should be certified according to the procedure established by the OAC. As a part of the creation of such a system, the party may be required to establish a special organizational unit (e.g., department, division), appoint a responsible official, or involve an independent contractor licensed to perform related activities that will perform the technical work associated with the creation of such a system.

One of the mandatory measures under the PDP Law to ensure personal data protection is the appointment of the department or person responsible for internal control over the processing of personal data by the operator (authorized person, a kind of analog to the DPO under the GDPR). The PDP Law does not specify any requirements for such a unit/person. However, the NPDPC indicates that the authorized person shall be appointed with consideration of their knowledge of personal data regulation and practice of its application, as well as skills to perform their labor functions. According to the qualification characteristics, the DPO shall have higher education. Additionally, authorized persons of particular organizations are obliged to attend special trainings organized by the NPDPC.

7.6. Data breach notification

The operator is obliged to inform the DPA of any breach of personal data protection systems immediately, but in any case, not later than within three days, in writing or in the form of an electronic document. The notification to the NPDPC can be omitted if the breach did not result in:

• illegal distribution, provision of personal data; or
• amendment, blocking, or erasure of personal data with no options to restore the access.

The obligation to give such notification does not depend on the number of persons affected by the violation.

Certain requirements on the notification of the OAC are set for specific cases of information protection system breaches or periodical reporting as required by Belarusian law. The respective requirements are set forth in the Regulations on the procedure for submitting information about information security events, the state of technical and cryptographic protection of information to the OAC, as approved by the Order of the OAC of February 20, 2020, No. 66 On Measures to Implement the Edict of the President of the Republic of Belarus of December 9, 2019, No. 449 (only available in Russian here).

Moreover, notification requirements may be imposed in specific legislation regulating the processing of certain types of data. For example, in cases of unlawful disclosure, use, or another unlawful breach of confidentiality of trade secrets, the recipient of such information is obliged to notify without delay the owner of any such trade secrets.

7.7. Data retention

The PDP Law provides for the rule according to which the storage of personal data (in the form that allows the identification of the data subject) must be limited to the period required by the stated purposes of processing personal data.

Currently, the specific terms for the obligatory storage of different types of data are regulated in general by the legislation on archiving and records management. For example, the terms for storage of different types of documents of the National Archives of the Republic of Belarus (including documents on the appointment of employees to job positions and their dismissal, correspondence on companies' administrative and operational issues, etc.) are provided by the List of Standard Documents of the National Archives of the Republic of Belarus, Generated in the Process of the Functioning of State Authorities, Other Organizations, and Individual Entrepreneurs Indicating Storage Periods, approved by Resolution of the Ministry of Justice of the Republic of Belarus No. 140 dated May 24, 2012, (only available in Russian here). Respective documents may contain limited/confidential information (e.g., personal data, trade secrets).

The PDP Law provides for a specific right for a personal data subject to request erasure of their personal data if the grounds cease to exist. For example, in case the term for which the data subject's consent for the processing of their personal data has expired.

7.8. Children's data

Belarusian law contains fragmentary regulation of children's data. In particular, according to the Mass Media Law it is prohibited to disseminate in the media, on internet resources, information on a minor who has suffered as a result of illegal actions or inaction without the consent of their legal representative.

According to the PDP Law, the general age at which a person may give consent for operations with their personal data is 16 years. If a person is under 16 years, such consent should be given by their legal representative.

7.9. Special categories of personal data

The PDP Law provides for the processing of special personal data. The special personal data includes data concerning race or nationality, political views, membership in trade unions, religious or other beliefs, health or sex life, administrative or criminal prosecution, as well as biometric and genetic personal data.

The PDP Law provides for the specific legal grounds for the processing of special personal data in case of the absence of the data subject's consent, including making such data publicly available, labor relations, medical assistance, administrating justice, etc.

The PDP Law requires an impact assessment only in case of the processing of special personal data (sensitive data).

7.10. Controller and processor contracts

An operator may authorize another person or entity for the processing of personal data based on the agreement.

The agreement between the operator and the authorized person shall contain the following provisions:

• a list of actions in regard to personal data that could be performed by the authorized person;
• the purposes of the above actions;
• confidentiality obligations with respect to personal data; and
• measures to ensure the protection of personal data in accordance with the PDP Law.

Mandatory measures to ensure the protection of personal data are:

• legal measures, like publication of documents defining the policy of the operator (authorized person) regarding the processing of personal data;
• organizational measures, like the appointment of a structural unit or a person responsible for the control over the processing of personal data – the DPO;
• familiarization of employees and other persons directly engaged in the processing of personal data with the provisions of the legislation on personal data, including the requirements for the personal data documents of the operator (authorized person), as well as training of these employees and other persons;
• establishing the procedure for accessing personal data; and
• technical measures, like the implementation of technical and cryptographic protection of personal data.

Notwithstanding the terms of the agreement, the operator (but not the authorized person) is obliged to obtain the consent of the data subject for actions with their personal data.

According to the NPDPC's comments to the PDP Law (only available in Russian here), although a list of mandatory measures to be taken by any operator (with some exceptions) is set out, the depth of implementation of such measures is determined on the basis of the activities of a particular operator, which also reflects the risk-based approach.

The Law on Information provides for the classification of data protection measures that should be taken with respect to information. These measures include:

• legal measures, including the conclusion of agreements between the owner and user of the information containing conditions of data usage; such agreements should contain provisions on liability of parties to the agreement for breach of respective conditions;
• organizational measures, including establishing a special access regime to premises where access to information (tangible media) may be provided, as well as differentiating access levels to such information; and
• technical measures, including the usage of cryptography and technical means of information protection and control.

8. Data Subject Rights

8.1. Right to be informed

The operator involved in the processing of personal data shall give clarifications to the data subject regarding their rights related to the processing of their personal data prior to consent collection. Prior to obtaining the consent, the operator is obliged to provide the data subject with information concerning the processing of personal data, which includes, inter alia:

• the operators name;
• the purposes of processing;
• a list of personal data;
• the period of consent; and
• a list of actions in regard to personal data with a general description of processing methods.

Further to this, the operator, prior to obtaining consent, is obliged to clarify to the data subject in plain and simple language their rights, the realization mechanism of such rights, and the consequences of giving consent or refusing to give it.

The operator shall also provide certain information following the data subject's request (as described in the section on the right to access).

8.2. Right to access

Data subjects are entitled to receive information on the processing of their personal data as well as information on the transfer of the data to third parties, including:

• name of the operator;
• confirmation of the fact of data processing;
• description of personal data and the sources of data;
• legal grounds and the purposes for the data processing;
• period for the data subject's consent; and
• information on the authorized person.

Information on the transfer of personal data to third parties can be obtained from the operator by the data subject free of charge once a year.

8.3. Right to rectification

Under the PDP Law, an operator involved in the processing of personal data shall fulfill the request of data subjects to amend (update) their personal data if such data are incomplete, obsolete, or inaccurate.

8.4. Right to erasure

A data subject has the right to the erasure of such data in case of the absence of lawful grounds (including the data subject's consent) for the processing of personal data.

8.5. Right to object/opt-out

Under the PDP Law, a data subject may:

• withdraw their consent for the processing of personal data at any time without giving reasons; and
• require, free of charge, termination of the processing of personal data if there are no legal grounds for the processing.

In that case the operator is obliged to erase or, if erasure is not possible, block the personal data as well as ensure that the data is no longer processed by the authorized person. Withdrawal of the personal data subject's consent is not retroactive, e.g., the processing of personal data preceding the withdrawal is not unlawful (e.g., seizing and destroying already printed, published material is not required).

8.6. Right to data portability

Belarusian legislation does not provide for the right to data portability.

8.7. Right not to be subject to automated decision-making

Current legislation does not establish the right not to be subjected to automated decision-making. Automated decision-making is not yet widely regulated in Belarus, even though the banking regulations contain certain provisions in regard to the scoring of creditworthiness.

8.8. Other rights

The PDP Law provides for the right of the data subject to claim compensation for damage, including moral damage, caused by the violation of their rights stipulated by that Law. Compensation for moral damage is not dependent on real damage and losses faced (or not) by the data subject. Data subjects can also appeal against the actions (including omissions) and decisions of the operator or the authorized party to the DPA.

At the same time, the decision made by the DPA, as well as the actions (or inactions) of the operator, can be appealed in court.

The Law on Information provides that the information owner is entitled to:

• prohibit or suspend the processing of information and/or its usage in case of non-compliance with the data protection requirements;
• apply to state authorities to assess the adequacy of its data protection measures, as well as for related consultations;
• use, distribute, and provide the information it owns;
• permit and restrict access to the information, and determine conditions for such access;
• claim to be identified as the source of the information if it becomes publicly available under the data owner's decision;
• determine the conditions for processing and usage of information in information systems and networks;
• provide the rights to use information according to legislation or agreement;
• protect its rights in the case of unlawful access or usage of the information by third parties; and
• take data protection measures.

The rights described above are general in nature and, for the most part, have not been supplemented by specific and concrete legal requirements on data protection and processing, depending on the type of information processed. For example, under the Law on Information, an individual currently has no explicit right to request the erasure of their personal data. However, individuals may approach the controlling authority to alert it of any wrongdoing if their personal data has been unlawfully obtained and used.

9. Penalties

Criminal liability

Criminal sanctions in Belarus for the disclosure of specific types of information (e.g., information for limited distribution, which, inter alia, includes personal data) could be imposed only on a natural person and in cases provided by the Criminal Code of the Republic of Belarus.

The Criminal Code contains penalties for various violations related to the disclosure of certain types of limited/confidential information, for example:

• for intentional disclosure of adoption secrecy against the will of the adopter or the adopted person, a person could be sentenced to community work, corrective labor for up to one year, or a criminal fine (as a general rule, the amount of criminal fine is 30 – 1,000 base units, which is approximately BYN 1,200 to BYN 40,000 (approx. $370 to $12,300)). As of September 2024, one base unit equals BYN 40 (approx. $12.3);
• for the intentional disclosure of medical secrecy (depending on certain circumstances), a person could be sentenced to a criminal fine, the deprivation of the right to occupy certain job positions, perform certain activities, arrest, or the restriction or deprivation of their liberty for up to three years;
• for the unlawful collection or provision of information relating to the private life and (or) personal data of another person without their consent (depending on the circumstances like scale or gravity), causing substantial harm to the rights, freedoms, and legitimate interests of a citizen, a person could be sentenced to community works, a criminal fine, arrest, or the restriction or deprivation of liberty for up to two years. For the unlawful distribution – restriction or deprivation of liberty for up to three years with a criminal fine. Higher liability may apply if the offense relates to the victims performing public functions;
• for the failure to comply with measures to ensure the protection of personal data by a person who processes personal data, resulting in negligence of their dissemination and the infliction of serious consequences, a person could be sentenced to a criminal fine, the deprivation of the right to occupy certain job positions, or perform certain activities, or corrective labor for up to one year, or arrest, restriction for up to two years, or deprivation of liberty for up to one year;
• for the intentional unlawful violation of privacy of correspondence, phone, postal, telegraph, and other communications (depending on the circumstances), a person could be sentenced to community work, a criminal fine, corrective labour for up to one year, or arrest, deprivation of the right to occupy certain job positions, perform certain activities, deprivation of their liberty for up to two years; and
• for the intentional unlawful disclosure of trade secrets or banking secrecy without the consent of the owner of such information (depending on certain circumstances), a person who obtained this information in connection with their professional activities, out of selfish interest, and causing damage on a large scale, could be sentenced to a criminal fine, the deprivation of the right to occupy certain job positions or perform certain activities, arrest, or the restriction or deprivation of their liberty for a term of up to three years.

The Criminal Code also provides for criminal sanctions for unlawful actions associated with a breach of security of technological (computer) systems and not connected with the disclosure of confidential information, for example:

• unauthorized access to information stored in a computer system network accompanied by a violation of the data protection system;
• unlawful destruction, blocking, or modification of computer information; and
• unlawful obtainment of computer information.

Administrative liability

The Administrative Code is in a way similar to the Criminal Code as it establishes sanctions for the unlawful disclosure of certain types of confidential information, as well as for unlawful actions associated with a breach of computer systems or unlawful usage of systems intended for data processing. At the same time, administrative offenses are relatively minor compared to criminal ones. Respectively, administrative sanctions are less severe.

The examples of unlawful actions associated with the disclosure of limited/confidential information prohibited by the Administrative Code include:

• the intentional disclosure of commercial or other protected by laws secrecy may cause a fine in amount of between four to 20 base units, which is approximately BYN 160 to BYN 800 (approx. $50 to $250)
• the unlawful usage or disclosure of the information included in the register of securities owners, or information regarding results of financial and economic activities of securities' issuers, for which the infringer could be fined an amount between four to 20 base units, which is approximately BYN 160 to BYN 800 (approx. $50 to $250); and
• the unlawful disclosure of service information, loss of the documents or computer data containing such information through negligence, for which the infringer could be fined an amount between four and 20 base units, which is approximately BYN 160 to BYN 800 (approx. $50 to $250).

In addition, the Administrative Offenses Code stipulates specific sanctions for personal data processing violations, including, inter alia:

• intentional illegal collection, processing, storage, or transfer of personal data of an individual or violation of their rights related to the processing of personal data may cause a fine of up to 50 base units, which is approximately BYN 2,000 (approx. $611);
• the same acts committed by a person to whom personal data are known in connection with their professional or official activity may cause a fine of between four to 100 basic units, which is approximately BYN 160 to BYN 4,000 (approx. $50 to $1,220);
• intentional distribution up to 200 base units, which is approximately BYN 8,000 (approx. $2,450); and
• failure to comply with measures to ensure the protection of personal data may cause a fine of between two to 10 base units, which is approximately BYN 80 to BYN 400 (approx. $25 to $122), for an individual entrepreneur – between 10 to 25 base units which is approximately BYN 400 to BYN 1,000 (approx. $122 to $305), for a legal entity – between 20 to 50 base units which is approximately BYN 800 to BYN 2,000 (approx. $250 to $2450).

As to the examples of violations associated with a breach of computer systems or unlawful usage of systems intended for data processing, for example, unauthorized access to computer information stored in a computer system or network, it may cause a fine between 20 to 30 base units which is approximately BYN 800 to BYN 1,200 (approx. $250 to $367).

Civil liability

As a general rule, civil liability in the form of monetary compensation of damages is imposed only in cases explicitly provided by law. For example, in the case of unlawful disclosure of trade secrets. The PDP Law establishes the compensation of moral (non-pecuniary) damage to the data subject in cases where such damage is caused by a violation of their rights with respect to personal data.

Disciplinary liability

Bringing to disciplinary liability for violation of the legislation on personal data is possible only with respect to those categories of employees who are charged with the obligation to process personal data due to their violation of the personal data processing procedure. For instance, an employment contract may be terminated with an employee who violates the procedure for collecting, systematizing, storing, modifying, using, depersonalizing, blocking, distributing, providing, and erasing personal data. However, the employer may choose another type of disciplinary sanction (e.g., reprimand, service note, deprivation of all or part of incentive payments for up to 12 months).

9.1 Enforcement decisions

Currently, enforcement practices are being developed. There have been several cases concerning personal data protection. In particular, administrative fines have already been imposed on individuals for violation of personal data regulation, including illegal distribution of personal data on social media and violation of the personal data processing order by officials. Criminal cases related to personal data processing have also been initiated in Belarus. Several companies, from retail, banking, legal, health care services, and bookmakers, have been added to the list of scheduled state audits by the regulator for 2024. At the same time, there are examples of data breach incidents becoming a trigger for the NPDPC to take measures within its competence.

Further to this, there are cases prior to the adoption of the PDP Law that dealt with privacy issues. For example, a decision of the district court of August 11, 2017, on the claim for the compensation of moral damages confirmed that information about a person's private life contained in the court decision does not constitute personal and family secrecy, as they were the subject of judicial assessment in the open court proceedings. The references were made to the general civil legislation rather than special requirements for personal data processing.

For now, it is expected that the NPDPC will probably continue to clarify the interpretation of requirements and enforcement approach following a number of complaint-based and scheduled inspections of compliance with the PDP Law performed during 2024. Notably, the NPDPC has no power to impose fines as they rest with the internal affairs bodies and courts at the moment. However, it is planned to confer respective authorities on the regulator.