Personal Data

The topic of personal data protection is increasingly relevant for businesses and individuals. Personal data includes any information about an individual that helps to identify him. In this regard, disputes about the protection of personal data are increasingly arising between individuals and large companies that massively process personal data and risk large amounts of such data. Companies that process personal data are called “operators”. Disputes most often occur in connection with the leakage of personal data or their excessive processing: when operators request more data from individuals than is necessary for the purpose for which they process the data.

Our experienced lawyers will help you understand the specifics of the organization of personal data protection in the company and in resolving disputes that arise in this area. We help to organize the work on the processing of personal data, resolve disputes and fully accompany them during their resolution.

What Are Personal Data?

Personal data is any information that relates to an identifiable individual. It generally falls into two groups. Basic data includes your name, phone number, or birth date—details used to verify who you are and requiring careful protection. Special categories cover more sensitive information like health records, political views, religious beliefs, IP addresses, and cookies.

To decide if something is personal data, ask: Does it identify a specific person? Ties directly to someone, like ownership of a car? Or could it single someone out from a crowd, like a home address or workplace? As technology evolves, even online markers like IP addresses and cookies count as personal data, since they can help trace your identity. That’s why privacy laws now cover them too.

protects personal data

The operators of personal data in the Republic of Belarus include Belarusian organizations and individual entrepreneurs. Operators are obliged to organize the protection of personal data. Operators are companies and individuals who conduct business and at the same time process personal data of individuals themselves or jointly with other operators. The processing of personal data includes any action with them: collection, systematization, storage, modification, depersonalization, distribution, deletion of personal data, etc.

Each company that processes personal data must create a special department or appoint employees who control the processing of data within the organization.

There is a state body in the Republic of Belarus that checks whether operators comply with the legislation on personal data. This is the National Center for Personal Data Protection (NCPD). Importantly, the NCPD considers complaints regarding the processing of personal data. Such a complaint must be filed within three months from the day when the author of the complaint found out about the violations.

What is the Register of Personal Data Operators

The NCPD will create a state database ”Register of Personal Data Operators“ from January 1, 2024. Consequently, the Register will include information about information resources (systems). With the help of which, in particular, personal data of more than 100 thousand adult individuals and more than 10 thousand individuals under 16 years of age, information about resources for processing biometric and (or) genetic personal data are processed.

Personal data operators need to enter information into the Register no later than January 15, 2024.

Common Personal Data Disputes

Disputes in the field of personal data may arise between an individual and the operator or between the operator and the NCPD.

Disputes between an individual and an operator

Such disputes are most often related to excessive personal data that the operator requests from an individual. Such data is not objectively necessary for the purposes for which the operator collects personal data. For example, for the delivery of goods from an online store, data on the identification number of an individual or his place of work is objectively not needed. An individual may complain about the excessive processing of personal data to the operator himself and request that the excess personal data be deleted or send a complaint to the NCPD. In the latter case, the operator may receive a check and fines are possible.

It is important to check and correct, if necessary, the list of personal data and the purposes of their processing, which companies prescribe in the form of consent to the processing of personal data.

Disputes between NCPD and operators

Such disputes may arise as a result of checking the requirements for the protection of personal data in the company. Most often, disputes are related to the leakage of personal data, their insecurity, and dissemination without the consent of individuals.

Rights of Individuals

This is usually caused by imperfection of the software, intentional actions, or happens from ignorance of the legislation on personal data protection.

Our experienced lawyers can audit the company’s internal documents on personal data issues. If necessary, our experts can develop the necessary documents.

Rights of Individuals Under Data Protection Law

With the new data protection law, customers and users gain strong rights that give them real control over their personal information. They can withdraw consent for data processing at any time, actively managing how their details are handled. They also have the right to know how and why their data is used, letting them make informed choices about their privacy.

Importantly, they can correct inaccurate information to keep records up to date, find out who received their data, and even demand that data be deleted or better secured. Companies handling this data must comply. They’re required to respond to information requests within 5 business days and deliver complete details within 15 days. This new legal framework significantly strengthens individual rights, reflecting the critical role of personal data protection in today’s digital world.

Sharing Personal Data

Passing personal data to third parties is allowed, but only under strict legal guidelines. This often includes sharing information with staff like accountants or marketers, or contractors working under private agreements that have clear data protection clauses.

Whenever data is processed or shared, a formal agreement is needed. It must clearly define what data is involved, why it’s being used, and the specific steps each party will take. The contract should also outline measures to keep personal data confidential and secure from unauthorized access, ensuring all parties uphold strong privacy standards.

Legal Grounds for Processing Personal Data

Personal data can only be processed if there’s a clear legal basis for it. Belarusian law spells out these grounds in detail. In the financial sector, processing often relies on four main foundations: the individual’s consent; the need to fulfill a contract with the person, such as opening a bank account; compliance with duties set by law; or requirements tied to national security, anti-corruption, and anti-money laundering regulations.

While consent is a common ground, it’s not always required. Many state bodies and organizations process personal data without consent because their legal powers demand it. This framework ensures personal data isn’t handled arbitrarily but strictly under established legal principles.

Key Documents

To comply with data protection laws, every organization — including those in finance — must establish clear internal rules for handling personal data. This means preparing essential documents that govern processing activities and, where required, publishing them on the company website or app.

A risk-based approach lets each organization decide which safeguards are needed. Still, the National Personal Data Protection Center requires certain mandatory records, like lists of authorized employees with access to data and registers of IT systems holding personal information.

Two main documents anchor these processes. The Internal Regulation on Personal Data Processing sets rules inside the company, while the Privacy Policy, published online or in the app, informs clients and users. This policy spells out who collects and uses data, what data is processed, for what purposes, and what rights individuals have — along with how they can exercise them.

When data is processed based on consent, the organization must provide clear, separate details about this before processing begins. Simply pointing to a privacy policy isn’t enough; individuals need explicit, standalone information to make informed choices.

Storing Personal Data and Maintaining Records

A core rule of personal data processing is limiting how long data is kept. Personal data should only be stored as long as needed for the purpose it was collected. In Belarus, retention periods are often set by law—like the Ministry of Justice regulation that outlines timelines for financial documents. If the law doesn’t set a period, companies must define one themselves.

Breach Notification Duties

It’s also crucial to consider where data is stored. Belarus doesn’t require data localization, but strict rules apply to technical protection. Personal data must be processed only in IT systems equipped with certified security tools that meet standards set by the Operations and Analysis Center (OAC). Using systems without certified protection violates Belarusian law.

On top of this, companies must keep detailed records of data processing activities. An internal registry tracks all data types, processing methods, retention periods, and legal grounds. Access to personal data is carefully controlled within the company, with rules clearly laid out in internal documents to separate duties across departments and staff.

Breach Notification Duties

If a company’s personal data protection system is compromised, it must promptly notify the National Personal Data Protection Center (NPDPC). By law, this notice must be sent without delay, and no later than three business days after discovering the breach.

Though there’s no direct obligation to inform affected individuals, it’s considered good practice to post a notice on the company’s website.

However, notification to the NPDPC isn’t required if the breach didn’t lead to unlawful sharing of personal data or to data being altered, blocked, or deleted in a way that permanently cuts off access. This approach focuses regulatory attention on serious incidents that truly endanger data security.

The Right to Be Forgotten

Belarusian law (Article 28 of the Constitution) guarantees every person protection from unlawful intrusions into private life, including the privacy of their mail, phone calls, and other communications. With technology rapidly advancing, this principle now extends to personal data, shielding it from unauthorized use or exploitation for commercial or governmental purposes.

A new Belarusian legislative initiative strengthens this by introducing a true “right to be forgotten.” This means individuals will have the legal power to request the deletion or correction of their data from databases, to be informed about how their data is used, and to object to certain types of processing. It marks an important step in giving people real control over their digital footprints.

Personal Data of Children, Relatives, and Deceased Persons

As automated data technologies expand into every part of life, children’s privacy faces new risks. To protect minors, the law requires that personal data of anyone under 16 can only be processed with consent from a parent or legal guardian.

Similarly, handling the personal data of deceased individuals demands careful safeguards. It’s only permitted if the person consented while alive, or if close relatives or heirs give their approval. This ensures sensitive information remains respected and secure, even after death.

Sharing Personal Data Without Consent

Belarusian law strictly regulates how personal data is handled, and there are serious consequences for violations. The data protection authority can order a company to change, delete, or block inaccurate or unlawfully obtained data and fix other legal breaches.

Under Article 22.13 of the Administrative Code, anyone who intentionally discloses personal data they learned through their work faces fines ranging from 4 to 20 base units. This underscores how critical it is to handle personal data responsibly and only share it with proper consent.

Our Services

Data Dispute Resolution

We help navigate disputes over data protection, working to secure fair outcomes while minimizing business disruption and regulatory exposure.

Risk Assessment & Legal Review

We evaluate data protection practices, identify compliance gaps, and provide a clear plan to mitigate legal and operational risks tied to information security.

Cross-Border Data Guidance

Get tailored advice on international data transfers, ensuring your processes align with local and global laws for smooth, lawful operations.

Support in Enforcement & Disputes

We guide you through investigations, represent your interests in disputes, and assist with enforcement actions related to data protection obligations.

Internal Data Protection Policies

Draft clear, compliant internal rules covering data processing goals, legal bases, access controls, and handling of personal data requests.

Appointing a Data Officer

Help designate a responsible data officer, establish internal monitoring, and document training to maintain accountability in your organization.

Defining Processing Purposes & Methods

Clarify why and how your business processes personal data, setting a solid foundation for lawful, transparent operations.

Access Controls Setup

Structure detailed access levels so only authorized staff handle sensitive personal data, reducing risks of leaks or misuse.

Managing Data Subject Requests

Create clear workflows for receiving, reviewing, and responding to personal data requests, keeping you compliant and customer-focused.

Video Surveillance Rules

Draft policies on workplace video monitoring to balance safety needs with privacy rights, ensuring full legal compliance.

Website Legal Tools

Equip your website with essential privacy notices, cookie banners, and terms to meet regulatory standards and build trust online.

Employee Data Handling Compliance

Train and guide staff to process personal data correctly, protecting individual privacy and keeping your company on the right side of the law.

Third-Party Contracts

Prepare agreements with processors or partners that clearly define data handling responsibilities and safeguard personal information.

Cross-Border Transfer Rules

Determine when and how to lawfully move data across borders, documenting these grounds to support international growth.

Data Deletion Procedures

Set formal rules for securely destroying personal data when it’s no longer needed, reducing liability and reinforcing data protection commitments.

Types of Liability for Personal Data Violations

Employee Disciplinary Action

Staff responsible for handling personal data who fail to follow company rules or legal standards can face disciplinary measures. This might include reprimands, demotion, or even termination, depending on the seriousness of the breach and internal company policies.

Fines & Administrative Penalties

Courts can impose significant fines on individuals and organizations for data protection failures. For example, not safeguarding personal data can result in penalties ranging from roughly $740 to $1,850. These decisions can be appealed within 10 days of issuance.

Compensation for Harm

Individuals harmed by mishandling of their personal data can sue for damages, including both financial losses and emotional distress. Often, it’s wise to seek voluntary compensation first. If refused, court action can secure full reimbursement with expert legal support.

Types of Personal Information

General data

Name, birth date, workplace, and contact details—common details that still need safeguarding, even if they’re easy to find online.

Special data

Sensitive areas like race, health, criminal records, and political or religious beliefs, which are rarely public and demand strict protection.

Biometric data

Unique biological markers such as fingerprints. A simple photo doesn’t count unless it’s used specifically for biometric identification.

Other data

Social status—often grouped differently but still relevant to privacy. Special data ties closely to personal identity and typically needs extra care, while other data tends to be broader and can change over time.

Requirements for Collecting, Processing, and Protecting Personal Data

Belarusian law sets clear principles for how personal data must be collected, processed, and protected. First, it’s essential to define the purpose—whether hiring staff, sending marketing materials, or managing contracts. This ensures data is only gathered for legitimate, clearly stated reasons.

Next is the scope of data collected. It should strictly match the stated purpose. For instance, there’s no need to request an email address when shipping a product if a name, phone, and delivery address suffice. If the email is needed for marketing, that purpose must be separately specified.

Obtaining consent is another critical requirement, unless the law explicitly allows processing without it. Consent should be clear, specific, and easy to understand—more than a vague notice like “by staying on this site, you accept our policy.” It’s best to have users tick a box confirming they’ve read and agreed to your Privacy Policy.

Before giving consent, individuals must also be informed about your business activities, what data you collect, why you need it, how long you’ll keep it, and how it’s protected. All of this should be laid out in a clear Privacy Policy or Data Processing Policy available to them beforehand.

Why Us

Cross-Industry Experience

We’ve worked across tech, finance, healthcare, and beyond. That broad perspective means sharper insights, fewer blind spots, and solutions that actually fit your business reality, not just generic legal theory.

We Speak Your Language

No confusing legal double-speak here. We break it all down into practical terms, so you’re always clear on your options and confident in every decision you make.

Impressive Success Record

Our results speak for themselves—years of securing favorable outcomes, tackling tough cases, and building strategies that stand up under pressure when it matters most.

Resolving Complex Legal Issues

We thrive on untangling the tough stuff. Whether it’s multi-layered compliance or tricky disputes, we bring clarity and direction when your situation feels overwhelming.

Saving Your Time

We handle the heavy lifting, streamline the process, and keep things moving—so you can stay focused on running your business, not chasing down legal paperwork.

Saving Clients’ Money

We’re serious about efficiency. From smarter contract structures to avoiding costly pitfalls, we work to protect your bottom line as fiercely as we protect your rights.

FAQ

What counts as consent to process personal data?

It’s a free, specific, informed, and unambiguous declaration by the individual allowing their data to be processed. Under Belarusian law, it must be given in writing or electronically through a clear, active step.

Why can written consent be invalid?

If it lacks key elements like processing purposes, data scope, storage period, or withdrawal rights—or uses generic language that doesn’t reflect real objectives—it risks being declared invalid in court.

What mistakes happen when collecting online consent?

Common errors include pre-ticked boxes (not a valid active action), no option to download consent text, or treating privacy policies as substitutes for actual consent. Each violates Belarusian standards similar to GDPR.

What are the consequences of consent errors?

They include administrative fines, orders to fix violations, possible blocking of data processing, and serious reputation damage if customers file complaints. Belarusian regulators actively enforce these rules.

What does case law and administrative practice show?

Belarusian courts typically support the data regulator. They void consent if it lacks a clear data list or withdrawal method, emphasizing transparent interactions—especially during face-to-face contacts or electronic verification.

How to properly get consent in person?

Provide a document detailing processing goals, data types, duration, and withdrawal rights. Have the person sign and keep a copy. Best practice: also email them a duplicate for proof.

How to ensure legally sound online consent?

Use separate, unticked checkboxes, log IP, date, and exact consent text. Don’t bury it in general terms of use. Consent must directly relate to registration, orders, or subscriptions.

Why is tracking consent withdrawal important?

By law, individuals can withdraw consent anytime. You must stop processing within 15 days and keep records of withdrawals to avoid disputes or future claims for damages.

Home / Services / Litigation and Dispute Resolution / Data Protection Disputes

Contact us

Lawyer

Legal assistance is provided by advocate Anton Grinewich, Specialized Legal Bar No. 2 in Minsk.
E-mail

info@ambylegal.by
Address

Office: 1 Krasnaya str., Minsk, Republic of Belarus Postal address: 1 Krasnaya str., Minsk, Republic of Belarus
Working hours

Monday-Friday 9:00-19:00

News

Sequence of Steps in Donating an Enterprise

Donating an enterprise is a rare but legally permissible transaction used when an owner wishes to transfer a business to another person free of charge. Unlike a sale or inheritance, donation is based on different motivations: it may stem from family circumstances, succession planning, or support for partners or other individuals. It is important to […]

By Ambylegal

30.09.2025

Exclusion of a Participant from a Company

A joint business is always associated with certain risks: at the start, partners may share the same vision and common goals, but over time their interests may diverge. Sometimes one of the participants ceases to fulfill their duties, blocks the company’s operations, or uses their position to the detriment of others. In such cases, the […]

By Ambylegal

25.09.2025

Renunciation of Inheritance

Receiving an inheritance is traditionally perceived as the acquisition of property or money, but in practice it can result not only in benefits but also in significant responsibilities. Along with the inheritance, the heir receives not only the assets, but also the debts of the deceased, as well as certain obligations to maintain the property. […]

By Ambylegal

23.09.2025