Personal data protection has become one of the key topics in the modern world, especially in the rapidly developing digital space. In recent years, the attention of governments and organizations around the world has become increasingly focused on the safe handling of personal information. One of the most significant steps in this area has been the adoption of the General Data Protection Regulation (GDPR) in the European Union, which defines new standards for the treatment of personal data. In Belarus, located between the East and the West, the issues of implementing the protection of personal information are also becoming more relevant. In this article, we will look at the main aspects of personal data protection, the application of GDPR in Belarus, as well as analyze existing legislation, practical approaches and challenges faced by companies in the process of ensuring personal data protection.
Personal Data Protection in Belarus
Personal data in Belarus is any information that can be associated with a specific person and allows them to be identified. Such data include: name, address, phone number, passport data, information about the place of work and other information that can be used to identify an individual.
Organizations and government agencies are obliged to ensure the protection of personal data of citizens. The procedure for protecting such data is enshrined in the requirements of the state – in Law from November 2021.
Processing of Personal Data
The processing of personal data includes any actions with personal data, including the collection, storage, systematization, and deletion of personal data.
Personal Data Protection According to GDPR
The General Data Protection Regulation (GDPR) defines the rules for the collection and storage of personal information of citizens of the European Union. It is mandatory for all companies, regardless of their location — both in the EU and outside it, if they process the personal data of EU citizens. This regulation came into force in May 2018.
Personal Data Processing
The processing of personal data of citizens of the European Union according to the GDPR includes all actions with such data, including their collection, recording, structuring, storage, processing, use, transfer, destruction and other operations. According to GDPR, personal data includes all identifiers that allow you to identify individuals on the network, such as IP addresses and cookies. Companies that work with the personal data of EU citizens must adapt their business processes in accordance with GDPR requirements.
As you can see, the same approaches are applied to the definition of personal data and their processing in the GDPR and in the Belarusian Law “Personal Data Protection”. To understand such approaches and take practical measures to protect personal data in accordance with the requirements of the Belarusian state and GDPR, we recommend contacting experienced experts in the field of personal data.
When Companies Need to be Guided by GDPR, and When – by the Belarusian Law
It does not matter where the company processing the personal data of European Union citizens is located. Companies must comply with GDPR requirements if :
- They are located on the territory of the European Union or outside it, but carry out activities focused on EU countries and at the same time process personal data of individuals.
- They cooperate with partners from the European Union and receive users’ personal data.
- They collect and analyze information from the territory of the European Union and provide goods and services to its residents.
- They are authorized persons – they process personal data on behalf of an operator subject to the general data protection regulation.
All companies that process personal data of individuals on the territory of Belarus should be guided by the requirements of the Belarusian state on the protection of personal data.
To understand your situation and apply certain personal data protection requirements to it, you can consult with our experienced specialists in the field of personal data protection.
Basis for Personal Data Processing in Belarus
Processing of personal data in Belarus according to local requirements is usually allowed only with the consent of the subject himself (this is an individual whose personal data is being processed), or without consent, if there are legitimate grounds according to the established list.
Without the consent of the subject, his personal data can be processed in strictly defined cases, which include:
- Conducting judicial and other state procedures.
- Registration for work and in the process of work.
- In order to conclude a contract with a personal data subject, its personal data can be processed for the purpose of fulfilling this contract.
- When the subject of personal data has transferred them to the operator himself. An operator is a company or an individual who processes personal data.
- When the duties of the operator, defined by the state, include the processing of personal data.
Basis for Personal Data Processing under GDPR
There are two types of basis for processing personal data of EU citizens. One of them is the consent of a citizen, and the other is the basis when obtaining consent is not mandatory according to the GDPR. The consent of an EU citizen to the processing of personal data is not required if the personal data is used only to conclude a contract with an individual.
In all other cases, it is necessary to obtain the consent of a citizen of the European Union for each operation with his personal data. Before obtaining consent, it is necessary to provide individuals with access to information about the company and the purposes of processing personal data. The form of obtaining consent on the site can be expressed, for example, by a sign in a special form on the site or by choosing technical settings on the site.
Who Controls Personal Data Protection Issues in the Company
To ensure the correct application of the GDPR and the Belarusian requirements for the protection of personal data, the operator, the data owner (for example, the customer of the software) appoints a DPO (Data Protection Officer) – a specialist in personal data protection.
This professional is responsible for handling requests from individuals and interacting with regulatory authorities. According to the Belarusian requirements for the protection of personal data, every company working with individuals is required to have specialists in the processing of personal data. In contrast, there is no such strict requirement for the processing of personal data of EU citizens. According to GDPR, a DPO can be both an outsourcing specialist and an employee of a company. DPOs are appointed or hired by organizations that:
- Process the personal data of numerous EU citizens.
- Processing large volumes of special categories of personal data.
In Belarusian companies that process personal data of EU citizens, DPO fulfills not only local requirements for personal data protection, but also the requirements of European regulations.
It is not easy to select a DPO candidate, but we can undertake such a selection and ensure that the candidate meets your requirements and requirements in the field of personal data protection.
Regulatory Authorities in the Field of Personal Data Protection
Of course, the regulation of personal data protection by the state differs in Belarus and in the countries of the European Union. Technically, European regulators in the field of personal data protection can fine Belarusian companies that violate GDPR requirements when processing personal data of EU citizens. European regulators also have other ways to influence companies that do not comply with GDPR requirements.
Regulatory Authorities in Belarus
The state body that monitors compliance by operators and authorized persons with personal data protection requirements is the National Center for Personal Data Protection (NCPD). The NCPD considers complaints from subjects regarding violations in the processing of their personal data.
Since January 1, 2024, the NCPD has been maintaining the state database ”Register of Personal Data Operators“. Operators include in the Register information about information resources (systems) that process large amounts of personal data, as well as resources that process biometric and (or) genetic personal data.
Regulatory Authorities in the European Union
Regulators in the field of personal data include government agencies, in particular the courts, in each country of the European Union.
The regulator has the right to:
- Check compliance with the rules of personal data processing.
- Issue warnings and prescriptions to comply with GDPR.
- Establish conditions for the cross-border transfer of personal data.
- Prohibit the processing of personal data and fine for violations of the GDPR.
Within the framework of the European Union, this area is monitored by the European Council for the Protection of Personal Data.
How to Determine the Sufficiency of Measures to Protect Personal Data
There is no universal approach that would suit all operating companies regarding the sufficiency of measures to protect personal data.
Each company faces unique risks, therefore, when conducting internal control over the processing of personal data, it is necessary to compare the measures taken to protect them with the risks specific to this company. This approach is called the “risk-based approach”. In the case of processing personal data of citizens of the European Union, the Belarusian company needs to take into account not only local requirements for the protection of personal data, but also the risks associated with the application of GDPR.
During the internal control, the DPO can identify risks associated with specific business processes. In addition, risks can be detected during inspections by the National Center for Personal Data Protection or as a result of complaints from citizens about the processing of their personal information.
The relevant risks are identified by the company’s DPO. Based on the data obtained, DPO informs the company’s management about the identified risks associated with the processing of personal data and suggests additional measures to reduce these risks, complementing existing protection methods.
Contact us
If you have any questions or disputes regarding the personal data protection in Belarus, we will be happy to help! Our long-term experience in divident payment will help you resolve any disputes in this area.
- +37529142-27-19 (WhatsApp, Viber, Telegram);
- info@ambylegal.by.
