info@ambylegal.by
+375 29 142 27 19
left results
Result not found, please try again
Home / News / Personal Data

Personal Data

In modern society, personal data refers to any information that directly or potentially identifies an individual. In Belarus, legal regulations classify personal data to include not only standard identifiers such as full name, date of birth, and address, but also biometric information (e.g., fingerprints, iris scans) and genetic data.

Until November 2021, the regulation of personal data in Belarus was fragmented. The new law enacted at that time introduced a comprehensive framework: it established key participants in the data processing chain—data subjects, operators, and authorized persons and set out principles of processing, security requirements, and mechanisms for protecting individuals’ rights.

Today, personal data operators (companies and sole proprietors that handle personal data) apply a risk-based approach to data processing. They independently determine the appropriate level of protection and implement legal, technical, and organizational measures in proportion to the nature and scale of data processing. They are also required to appoint data protection officers, develop internal policies, train employees, and implement cryptographic or other technical safeguards.

The National Center for Personal Data Protection (NCPDP) oversees compliance with personal data laws. According to its 2025 plan, at least nine operators will be subject to scheduled audits, including major IT companies, banks, and educational institutionsсwith provisions for unscheduled on-site inspections as well.

The main rights of data subjects (i.e., individuals whose data is being processed) include access to their data, correction, deletion, blocking, and the right to lodge complaints and appeal operator actions. In many ways, Belarusian legislation mirrors the European GDPR by promoting transparency, risk minimization, and oversight in personal data processing.

Key Terms in the Field of Personal Data

Understanding fundamental terminology is essential for proper data handling. Below are the primary roles and data types subject to legal protection.

Data Subject
A data subject is a natural person whose personal data is processed. This includes anyone whose data is collected, stored, used, or otherwise handled, such as a customer, employee, contractor, newsletter subscriber, or website user. The key criterion is the presence of identifiable information: name, address, phone number, passport details, etc.

Data Operator
A data operator is a legal entity or sole proprietor who determines the purposes and methods of personal data processing. Operators are responsible for ensuring that data processing complies with legal requirements and that data subject rights are respected. Common examples include employers, online retailers, banks, insurance companies, and educational institutions.
Operators may delegate processing to others but remain fully responsible for compliance.

Authorized Person
An authorized person is a third party contracted by the operator to process personal data. They act under a contract or mandate and must apply the same safeguards as the operator. For example, an accounting firm granted access to employee data or an IT provider managing a CRM system would be considered authorized persons.

What Constitutes Personal Data Processing
Processing refers to the entire data lifecycle, including:

  • Collection and registration
  • Systematization and accumulation
  • Storage and use
  • Transfer (including to third parties and across borders)
  • Anonymization
  • Blocking and deletion

Even storing personal data in corporate email or an Excel spreadsheet qualifies as processing.

Categories of Personal Data
Personal data is classified into several categories based on its sensitivity:

  1. General Data – includes name, date of birth, address, phone number, place of employment, and education. These are the most commonly used data types across businesses.
  2. Special Categories of Data – includes information revealing racial or ethnic origin, political opinions, religious beliefs, health status, criminal records, etc. Processing such data requires heightened care and compliance.
  3. Biometric Data – derived from processing physical characteristics such as fingerprints, facial images, voice, iris scans, etc., often used for identity verification.
  4. Genetic Data – pertains to inherited characteristics at the DNA level. These are typically used in medical and scientific contexts.

A clear understanding of who is involved in the data processing chain and the types of data being handled enables organizations to build effective personal data protection systems and avoid legal risks.

Principles of Personal Data Processing

Effective and lawful handling of personal data is only possible when basic processing principles are followed. These principles reflect the generally accepted approach to information protection and form the foundation for an organization’s internal data policies.

Lawfulness and Fairness

Personal data must be processed on clear, fair, and transparent grounds. This means the organization must have a legitimate purpose and a legal basis for collecting someone’s personal information. Data should not be collected “just in case” or without notifying the data subject. Fairness implies respect for the individual’s interests and excludes manipulation or hidden practices.

Purpose Limitation and Data Minimization

Organizations should collect only the data that is strictly necessary for a specific purpose. If the purpose can be achieved without certain categories of data, those should not be collected or stored. For example, delivering a product does not require passport details or information about marital status. The principle of minimization helps reduce data breach risks, streamline internal processes, and strengthen customer trust.

Accuracy and Relevance

Personal data must be accurate and up to date. The data controller is obliged to take reasonable steps to correct inaccurate or outdated information. For instance, if an employee changes their home address or phone number, the data should be updated promptly. Inaccurate information may lead to financial losses, delivery errors, miscalculations, and other negative outcomes.

Storage Limitation and Deletion

Data must not be stored indefinitely. The retention period should be limited to what is necessary for the processing purpose. Once the purpose is fulfilled, the data should be deleted or anonymized. For example, after an employee resigns, their personal data should only be stored for the legally required periods related to archiving, payroll, or audits after which it must be securely deleted.

Security and Confidentiality

Data processing must include measures to protect information from unauthorized access, loss, alteration, or disclosure. This applies to both technical measures (encryption, access control, backups) and organizational approaches (staff training, internal regulations, contractor oversight). Only employees whose duties require access to personal data should be granted it.

Obligations of a Personal Data Controller

The personal data controller is the central figure in the data processing lifecycle. They are responsible for ensuring compliance with legal principles and requirements. Regardless of the organization’s size, the controller must establish a data protection system, monitor its performance, and enable the exercise of data subject rights.

Appointment of a Data Protection Officer (DPO)

The first step in organizing personal data processing is appointing an authorized employee or department responsible for managing data protection and security. This person coordinates internal policies, liaises with supervisory authorities, and advises management on data protection matters. This role is especially important for organizations handling large volumes of data or operating in sectors such as healthcare, education, or online services.

Development of Internal Documentation

Personal data operations must be governed by internal policies and procedures. The controller is required to develop and implement internal regulatory documents that define:

  • The purposes and methods of data processing.
  • Rules for internal data access.
  • Procedures in case of a data breach or unauthorized access.
  • Retention and deletion timelines.
  • Formats for consent and data subject notifications.

These documents must reflect real business processes and should be regularly updated when changes occur.

Staff Training
Employees who have access to personal data must be familiar with the rules for processing it. These employees are required to follow protective measures. Training may include initial briefings, regular knowledge checks, workshops, and distribution of updates. Lack of staff awareness is one of the main causes of incidents related to data leaks or unauthorized disclosure.

Technical and Organizational Measures
The data controller is obliged to ensure the security of personal data by implementing both technical and organizational measures. These include:

  • Installing antivirus software and firewalls;
  • Restricting access to information systems;
  • Protecting data during transmission (e.g., via encryption);
  • Backing up data and monitoring the use of external devices;
  • Tracking user actions and preventing unauthorized access.

Organizational measures also involve contractor oversight, information security audits, and introducing rules for handling physical (paper) documents.

Logging and Record-Keeping
The controller must keep records of operations involving personal data. This includes:

  • Recording data access events;
  • Documenting transfers of data to third parties;
  • Logging security incidents and corresponding response measures;
  • Storing subject consent and its withdrawal history.

Such documentation helps demonstrate compliance with legislation, reconstruct data processing in the event of disputes or inspections, and ensures transparency of processes.

A comprehensive approach to fulfilling the duties of a data controller not only reduces legal risks but also demonstrates the organization’s maturity in terms of digital responsibility and information governance culture.

Data Subjects’ Rights

One of the key goals of personal data protection legislation is to give individuals control over information about themselves. Every data subject is entitled to a set of rights that allow them to understand, influence, and manage how their data is used. The controller must not only comply with these rights but also provide convenient mechanisms for exercising them.

Right to Information About Personal Data
Individuals have the right to know who processes their data, for what purposes, on what legal grounds, what categories of data are used, and to whom the data is disclosed. Upon request, the subject must receive comprehensive and clear information, including details on storage periods and security measures.

It is important that the controller does not hide information under the pretext of “internal policy” and provides answers within a reasonable timeframe. No fee may be charged for such requests when it involves a first-time or standard inquiry.

Right to Access, Rectify, Block, or Erase Data
A subject may contact the controller to:

  • Access their personal data;
  • Correct or complete outdated or inaccurate information;
  • Temporarily block data processing;
  • Erase data if the processing purpose no longer exists or if consent has been withdrawn.

For instance, if a customer no longer wants their phone number to be used for marketing messages, they may request its deletion from the controller’s database. The controller must either comply or provide a lawful justification for refusal (e.g., if the data is needed to fulfill contractual obligations or legal requirements).

Right to Withdraw Consent
If personal data is processed based on the subject’s consent, the subject may withdraw that consent at any time without needing to provide a reason. Once consent is withdrawn, the controller must stop processing the data unless another legal basis exists (such as labor or tax law requirements).

The controller must provide a simple and clear method for withdrawing consent via an online form, user account, written request, etc. Making the withdrawal process difficult or ignoring such requests violates the subject’s rights.

Filing Complaints and Challenging Controller Actions
If a data subject believes their rights have been violated—e.g., their data was shared without consent or the controller refused to erase it, they may file a complaint. This can be submitted directly to the company (controller) or to the authorized government body responsible for data protection. In Belarus, this is the National Center for Personal Data Protection (NCPDP).

Additionally, the subject may take legal action, including claiming compensation for moral damages.

The enforcement of data subject rights is not a mere formality but a critical aspect of legal security and public trust. For controllers, respecting these rights is not only a legal requirement but also a sign of corporate maturity, customer focus, and operational transparency.

Personal Data Regulator: The Role of the NCPDP

The personal data protection system in Belarus is based on the principle of state oversight. The key supervisory authority in this field is the National Center for Personal Data Protection (NCPDP). In addition to monitoring compliance with the law, the Center also plays an important consultative and preventive role.

Powers of the NCPDP

The NCPDP is vested with broad authority aimed at ensuring lawful and secure processing of personal data. Specifically, the Center:

  • monitors how organizations process personal data;
  • handles complaints from individuals and legal entities;
  • issues orders to eliminate violations;
  • maintains the register of data controllers;
  • participates in the development of guidelines and informs the public.

The Center has the right to request documents, analyze information systems, and interview employees of organizations. Its orders are legally binding.

Scheduled and Unscheduled Inspections

The NCPDP conducts both scheduled and unscheduled inspections:

  • Scheduled inspections are carried out according to an approved plan. They typically target large companies, government bodies, and operators working with sensitive data.
  • Unscheduled inspections are initiated based on complaints, reports of potential violations, or risk assessments. For instance, a mass data leak reported in the media may trigger an unscheduled inspection.

During an inspection, the Center may analyze documents, interview responsible personnel, examine IT systems, and review internal policies. Organizations are required to cooperate with the Center’s representatives.

Consequences of Identified Violations

If violations are identified during an inspection, the NCPDP may:

  • issue an order to rectify the violations within a set timeframe;
  • suspend or restrict the processing of personal data;
  • refer materials to other regulatory bodies or to the court;
  • initiate administrative proceedings against responsible individuals.

Unintentional violations usually result in a warning and an order to comply. However, repeated or serious violations, especially those involving data breaches or disregard for data subjects’ rights may lead to more severe consequences, such as fines, temporary suspension of activities, and reputational damage.

Guidelines and Clarifications from the NCPDP

The NCPDP actively publishes guidance materials, answers to frequently asked questions, templates, consent forms, and instructions on secure data handling. These resources are valuable for legal professionals, business leaders, IT specialists, and employees who handle personal data.

Organizations may contact the NCPDP for consultations, submit inquiries regarding legal compliance, and request support in implementing data protection measures. This dialogue with the regulator helps mitigate risks and fosters a culture of responsible data management.

Conclusion

Personal data is not just information about a person. It is a sensitive asset that must be handled with the utmost responsibility. Companies acting as data controllers must not only understand the rules of data processing but also build a resilient protection system that upholds the principles of legality, transparency, and respect for data subjects’ rights.

Government requirements in the area of personal data protection continue to evolve. Neglecting these issues can lead to both legal and reputational consequences. At the same time, a well-structured approach to personal data processing fosters trust among clients, partners, and employees, and reduces business risks.

If your organization needs an audit of current processes, assistance with drafting internal policies, staff training, or legal support when interacting with the NCPDP, the experts at AMBY Legal are ready to provide practical solutions and full support at every stage.

Contact us

If you have any questions related to personal data in Belarus we will be happy to help! Our long-term experience will help you choose a lawyer to represent your interests.

  • +37529142-27-19 (WhatsApp, Viber, Telegram);
  • info@ambylegal.by.
Contact us

    Message

    Captcha captcha